When credit and debit cards began to replace cash as the default method of payments, hoteliers and guests shared a sigh of relief.
Paying by card is great for both – customers don’t have to worry about carrying cash around and hotel staff don’t have to go through the hassle and worry of transporting that cash to the bank.
However, while card payments eliminated one security risk, it added another. Guests’ card information is valuable to cyber-criminals. It’s your responsibility, as the hotel operator, to protect your customers’ information from data breaches. If you don’t, your guests could become the victims of payment fraud – that doesn’t, usually, translate into 5-star TripAdvisor scores.
That’s why PCI compliance for hotels is so important.
What is PCI (Payment Card Industry) compliance for hotels?
The PCI Data Security Standard is a set of rules that governs how hotels should handle and store their guests’ card payment information. If your business accepts card payments, you are responsible for following these requirements.
What are my hotel’s PCI compliance requirements?
The exact requirements will depend on the volume of card payments your hotel processes. The most stringent rules apply to businesses that process more than 6m transactions a year. These businesses are considered ‘Level 1’.
The levels run from 1 to 4. In level 4, you’ll find businesses with under 1m transactions a year, and the simplest compliance process.
We must note, however, that it is up to your card operator’s discretion – if you, for example, have previously suffered a data breach, they are able to put you in ‘Level 1’, even if your yearly transactions total less than 6m.
The 12 requirements of PCI Compliance for a hotel
Regardless of what level applies to your hotel, there are 12 general PCI requirements that apply to all businesses which accept card payment.
- Firewalls: You must install firewalls to protect your guests’ card information.
- No default passwords: As tempting as it may be to use the password that came with the card machine, it is a huge security risk.
- Protect your guests’ cardholder data: You shouldn’t store cardholder data unless you need to, but if you do, it is your responsibility to make sure that that data is protected.
- If you’re transmitting data over public networks, you need to encrypt it: When you transmit data over public networks, you run the risk of having that information be intercepted by hackers. Encrypting that data means that only authorised parties can access it.
- Update your antivirus software: How many of us have clicked “Not now” when faced with a reminder that your antivirus software needs an update? It’s one thing to do that with your private computer, but it’s a completely different situation when your guests’ card information is at stake. You must ensure that all the computers, or devices, that have access to cardholder information are using good, up-to-date anti-virus software.
- Maintain system security: Your hotel should ensure that it installs the latest security patches and responds to vulnerabilities effectively.
- Restrict access to the data: Access to your guests’ cardholder data should be on a strict, need-to-know basis.
- Unique IDs for authorised users: Of course, you are going to have to have some staff that are authorised to access cardholder data – they should be assigned unique IDs so that their access can be monitored, tracked, and flagged for any irregularities.
- Restrict physical access to the data: Installations of card processors, for example, should be monitored.
- Track and monitor access to networks and cardholder data: Log and monitor who has access to your hotel’s network resources and cardholder data.
- Regularly test security: The only way to be sure that your security is up to scratch is to regularly test it.
- Maintain a business-wide security policy: This should be updated yearly, and the information within the policy should be distributed to all of your employees.
How does your hotel become PCI compliant?
In an area as regulatorily and technically complex as this, it’s recommended that you hire a technology partner to help you become, and stay, PCI compliant.
We at Cardonet are hospitality IT support specialists and have helped hotels with every step of the PCI compliance process.
Here’s a sense of the steps that we would take if we partnered with your hotel.
- Audit your current card payment security. This will help us get a sense of where you’re already PCI compliant, and where your vulnerabilities are.
- Gap analysis. We’ll investigate your current system and perform a thorough gap analysis – that’s where we look at where you are now, where you need to be to achieve PCI compliance, and what you need to do to get there.
- Define and implement policies for improvement. Now that we have a sense of what your hotel needs to do, we’ll create and implement the internal policies that ensure that your card payment processing systems are in accordance with the 12 requirements of PCI compliance.
- Making sure everything is up and running. There’s no use in implementing new policies only to find that they are not working for your business. We’ll scan, test, and monitor your new set-up to make sure that isn’t the case.
- A final audit. This is where we’ll make sure that your hotel is now comprehensively PCI compliant.
While this may seem like a large undertaking, there are some huge upsides to your hotel being PCI compliant – and that’s not only avoiding fines!
- Protection: With PCI compliance, your guests’ data is more secure and there is less payment fraud. That means both your customers’ wallets, and your hotel’s reputation, are protected.
- Trust: By following PCI requirements, guests know that they can trust your hotel with their card payments. If they are comfortable making payments at your hotel, that means more revenue.
- Reduce costs: When your hotel is PCI compliant, you don’t need to pay surcharges. Additionally, PCI compliance means that you are less likely to be hit with a fine if something does go wrong.
- Peace of mind: Going through the process of PCI compliance means that you know you’ve followed best-practice industry guidelines in card payment safety. You’ll know that you’re already protected from the biggest risks associated with card payments.
We at Cardonet provide expert IT support to hospitality businesses and have two decades’ experience doing so.
PCI compliance is enormously important for any hotel – if you’d like to hear how we can help you, please don’t hesitate to request a quote. Otherwise, you can reach out to us today on +44 203 034 2244 or +1 323 984 8908.
We provide 24/7 coverage throughout the United States, United Kingdom and Europe.