Are you taking the right actions to make sure that your hotel’s data is secure? There are security measures and standards in place to ensure that you and your guests aren’t at risk, particularly when processing payments. Here are the details about these standards, what they mean for your hotel, and how to ensure that you are safe.
What is PCI DSS?
PCI DSS is short for the Payment Card Industry Data Security Standard. Opposed to GDPR, the PCI DSS is not a law, but a standard defined and maintained by an independent entity created by major payment card brands. Whenever you want to accept credit cards from brands like VISA and MasterCard, you are required to be compliant with this security standard. The PCI DSS can be seen as a collection of best practices or rules on how to treat the sensible payment card data entrusted to you by your guests in order to prevent data breach and fraud.
Do I have to be compliant?
Whenever you make a contract with a payment service provider to process credit cards on-premises or online, you will have to demonstrate your compliance. Depending on the payment provider or the acquiring bank and the size of your business you have either to fill out a self-questionnaire or might even have to conduct an on-site audit with a Qualified Security Assessor (QSA).
What can happen if I am not compliant with PCI DSS?
If payment card data entrusted to you is leaked and misused the payment brands will penalize the acquiring bank. Those fines might be passed to you as a merchant if you are found to be non-compliant. They can be somewhere between 5,000 EUR and 100,000 EUR for every month you are non-compliant, and, in the worst case, you might lose the right to accept payment cards from the major payment card brands. In addition, you could face legal issues and a damage of your reputation. So, best is to see the rules from the PCI DSS as a guide that helps you to secure your business.
Hotels can ensure that they remain PCI DSS compliant by choosing technology partners that are PCI DSS certified. This applies to any technology that the hotel uses to process payments, which, for most hotels will start with their PMS. As apaleo was building its PMS architecture, PCI compliance was considered from the start, so we were certified within a matter of weeks.
How do technology partners get certified?
Technology providers should conduct on-site audits to prove compliance. At apaleo, these audits are conducted yearly. QSA Adsigo inspects the technical implementation to identify any potential risks how sensitive cardholder data can be leaked and also checks our security policies and processes. When compliance can be validated, technology providers receive an AOC. apaleo customers can download ours here. With this AOC and the acknowledgment of responsibility from your provider, hoteliers can easily fulfill the requirement 12.8 from the PCI DSS on service provider management.
A Hotel’s Responsibilities
Technology partners like apaleo allow hotels to run their business in compliance with PCI DSS, but there are still things you need to take care of. Full details on which requirements you need to fulfill can be found on the official website of the PCI Security Standards Council.
E-Commerce and Mail Order / Telephone Order (MoTo)
If you accept cards on your website and other online channels like booking.com, or you accept credit cards for mail and telephone orders, then the PCI requirements will be related to restricting user access to cardholder data, ensuring compliance of your service providers and maintaining an incident response plan at max. This also depends on your bank or payment service provider.
Card-present with modern IP based card terminals
If you also process payment cards on-premises using a modern IP based terminal connected to the payment service provider through the internet you will be exposed to additional requirements. Most banks or payment service providers will only obligate you to this high standard if you are processing a high volume of terminal transactions though. The payment service provider Adyen, which is used for payment processing in apaleo, currently only sets these high standards if you process more than 1mio transactions.
If so, then you will have to clearly separate the network of the IP terminals from the other networks in your hotel and have firewall rules in place that ensure the terminals can only communicate with the payment service provider through securely encrypted connections. All systems connected to the network of the IP terminals will belong to the so-called card data environment (CDE). Only authorized persons should have access to those systems, which also implies heavier policies and documentation efforts to you. On top of that you will have to run a quarterly external vulnerability scan.