Nearly every hotel operator has heard of PCI and some have already complied with its mandated requirements. But if you run a hotel and still have questions about what PCI involves, this blog post is for you.
What is PCI and When is The Deadline?
PCI is short for Payment Card Industry, and refers to the Payment Card Industry’s Payment Application Data Security Standard (PA-DSS). Compliance with the standard is mandated by the payment card brands – but not by the PCI Security Standards Council (http://ow.ly/14ly2) – to help businesses protect customer information with security measures. Visa and other payment card companies are calling for the new security policies because hackers want this data for identity theft and to create counterfeit payment cards.
For most hotels, the mandate stipulates that by July 1, 2010 credit card acquirers must ensure that merchants, including hotels, use payment application software (PMS and POS) and secure processes that have been reviewed, validated and certified as meeting PA-DSS requirements. Sound complicated? Fines or penalties associated with non-compliance and confirmed security breaches are defined by each of the payment card brands. For specific information on penalties, contact your payment card brands.
You can find the list of brand URLs here: http://ow.ly/14miZ.
If your property is not compliant today, you have ample time to be certified PCI compliant if you begin now to implement the certification requirements.
What Are The Rules?
The mandated PA-DSS standards are an extensive set of international security requirements that govern all areas of sensitive guest payment card data processing, such as:
- The magnetic card stripe
- Security codes and passwords on all property applications, including Windows
- The PIN that results when a transaction is authorized
- The physical security of printed reports, including those cardboard boxes full of daily packets in the controller’s office.
Hotels must meet specific requirements to earn certification before July 1, 2010. These requirements include standards for:
- Network security, firewalls and password configuration
- Using only secure PCI-certified system applications, and
- Restrictions on cardholder data access both electronically, and physically.
What Do You Have to Do?
To be certified PCI compliant, operators must pass a security review prior to the deadline and then be re-certified by periodic reviews at least twice a year in the future. Work with a Qualified Security Assessor (International list here: http://ow.ly/14ZTO) to guide your operations team through a property PA-DSS evaluation and assign a team leader to manage the compliance process. Select a person who is familiar with your entire operation since the process will include a review your internal procedures, your property management and other technology-vendor products, your network, and physical document storage. The Assessor will provide guidance and when all measures are taken, validate that your property internal systems and procedures meet the PA-DSS guidelines that govern data handling.
12 Compliance Requirements
The PCI DSS website (http://ow.ly/14mWh) provides this simplified list of what your property must do to be compliant.
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks Requirement
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications Requirement
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security
PCI compliance is important, both to protect guests’ personal information and to prevent your property from being penalized by the payment card industry. More details are at http://ow.ly/14oQE.
At Softscribe, we draw on our thirty years of hospitality industry experience to give you a head’s up on issues like this that can keep you profitably adding heads to beds. If you would like to discuss more ways to boost profitability, guest loyalty and RevPAR, feel free to contact me now.
What about you? What is your #1 question about PCI compliance?
