Hospitality tech companies that handle credit card data have invested time and money to earn compliance certification for the Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS). These vendors and their hotel company clients are focused on July 1, 2010 when the payment card industry’s penalties (http://ow.ly/17WoX) for non compliance kick in. Vendors affected by the PA-DSS data security mandates have worked hundreds of hours and spent thousands of dollars to help clients pass certification reviews. Who pays for all this?
Two Softscribe clients serving different segments of the hotel business recently earned their compliance certification and it was costly. They did it because the payment card industry mandates that for businesses to be PCI PA-DSS compliant they must only use compliant systems. If these businesses are not certified before July 1, significant financial penalties will be assessed by the payment card industry – so tech vendors must be compliant for their clients to be compliant.
Okay, who pays?
Our tech vendor clients are giving the PA-DSS upgrade free to users that have standard maintenance agreements. They see this as a cost of doing business. What about other vendors? We spoke to industry insiders and learned that giving away the PA-DSS upgrade is exemplary. Several hotel system vendors, including the largest tech providers, are only offering their PA-DSS compliant functionality in the latest system version. But their PA-DSS upgrade is not backward compatible, so all users must upgrade to the newest version – and pay substantial fees for installation, training and possibly new hardware. Some companies can get away with turning the PCI mandate into a major profit opportunity. Maybe it is appropriate the cost be shared with properties.
What do you think? Should the PCI development costs be shared with properties?
