In this article, we will talk about PCI compliance for hotels, and what changes should they be expecting with the strong implementation of the payment security standard.
Data breaches in the Hotel industry
As a global industry that generates an overwhelming revenue of 550 billion dollars annually, the hospitality industry seems to be one of the most attractive segments for credit card breaches and data theft. According to the HTFP Journal, it was the most affected vertical in the last years, obtaining an entire 40% of all data breaches that happen worldwide.
Zooming in the hotel segment of the Hospitality industry, we can see why it seems so attractive for cyber criminals. In Spain, one of the world’s leading travel destinations, hotels accounted for a $2,995 million revenue in 2017, showing an annual growth rate of 6.0% In France, it reached $4,946 million, and UK recorded a $5,746 million revenue the same year.
The growing contribution of the hotel segment to the GDP of many countries worldwide, among with the increase in revenue and data theft, made credit card security a top concern. As a result, the PCI-DSS security standard became an essential consideration for hotels, becoming absolutely obligatory fromf 2018.
What is PCI-DSS and how does it improve card security?
PCI-DSS, or the Payment Card Industry Data Security Standard, is a set of safety regulations created by the major credit card associations to protect card data.
It defines the best practices for card security that every company should implement, affecting all hotels independently from their size or location. The purpose is to reduce as much as possible the risk for fraud, data theft, identity theft, and other threats.
What are the standards of PCI Compliance for hotels?
PCI-DSS covers a variety of practices for handling credit card data, and it affects all sorts of industries and businesses. The hotel segment is no exception, so be prepared to face a series of industry-specific changes.
These regulations will inevitably impact your hotel’s actual procedures, activities and systems. Get ready for the following changes when it comes to PCI Compliance for hotels:
POS Compliance – if you are currently using a POS terminal, whether it is physical or digital, that doesn’t meet the security standards, you will have to change it. Not all POS Terminals that are sold on the market are PCI Compliant, which may require a change in your hotel’s systems in order to provide full customer data protection.
PMS Compliance – The same will apply to your Property Management System and your Channel Manager. If you are using a PMS to store the credit card data of your customers, you will have to adapt the whole network architecture of your hotel in order to meet the regulations.
Access – restrict the access of your employees to view the full credit card numbers of your customers. Only the ones who need this information for hotel room management purposes should be able to do that.
Credit card storage – many hotel managers are under the wrong impression that only digitally stored credit card information must be protected, but this is not true. In fact, under PCI Compliance and privacy laws, all paper documents containing personal data must be physically secured and adequately restricted at all times.
CVV2 – it is prohibited to ask your guests for this information unless you are complying with the PCI-DSS standards. Especially if your hotel is using a Virtual POS to allow digital reservations and payments, you will need to provide a safe environment before requesting this data from your guests.
Unique user IDs – to have a greater control over specific card incidents, you should assign a unique user ID to every member of the staff who was an access to credit card information.
Security area – all forms, documents, folders, and machines that store private credit card data, and are easily accessible at the reception desk, must be moved to a restricted area with security cameras. All cardholder information should be secured and kept out of hotel visitors’ reach.
Note papers – take a look around your hotel’s front reception desk. Do you have credit card information written down on sticky notes, torn out pieces of paper, or any other random paper note? PCI Compliance doesn’t only regulate official documentation. Storage of private information in any written form without protection is prohibited.
Digital storage of data – private data from all electronic systems, such as Virtual POS and catering systems, must be encrypted. Otherwise, it becomes extremely vulnerable to hackers and cybercriminals.
These are only a few of the changes that will occur under the standards of PCI Compliance for hotels. Considering the fact that it will be obligatory from spring 2018, make sure that you are using only third-party solution providers in compliance with the highest level of PCI-DSS, such as MYMOID. Otherwise, you risk to face the consequences of credit card breaches, data theft, and other security vulnerabilities.
To obtain more information on the topic, make sure to check out the following resources:
- 7 negative consequences for noncompliance with PCI;
- Is the PCI-DSS certification obligatory for your company?
- PCI Compliance and the Hospitality Industry
PCI Compliance for Hotels
If you are looking for a payment gateway, MYMOID offers an innovative and fully functional set of payment solutions in compliance with PCI to help your hotel handle payment data securely and efficiently.