Why PCI Compliance Matters for Your Hotel
Nobody wants to be Yahoo. The internet giant’s ongoing struggles with a series of hacks in 2013 continue to make headlines. Just this week, news broke that every single Yahoo account (around 3 billion in total) was exposed in the breach, making this the single biggest hack in history.
Yahoo, of course, is not a hotel chain. But its spotted history with data security is just as relevant to hoteliers as it would be to other technology firms. That’s because anytime you swipe a guest’s credit card, you become responsible for their data security. As a result, hoteliers should care about PCI compliance as much as financial institutions and retailers.
Rather than wait until a breach, it makes sense to inform yourself about PCI DSS requirements now, and implement solutions. The benefits range from increased legal security all the way to enhancing the attractiveness of your hotel in the eyes of your guests.
What is PCI-DSS Compliance?
In a post last year, we detailed exactly what PCI compliance actually entails. It stands for Payment Card Industry Data Security Standards and is mandated by all of the major credit card brands. Administration of these standards falls to the Payment Card Industry Security Standards Council, formed in 2006 by American Express, Discover Financial Services, JCB International, MasterCard, and Visa.
At its core, PCI-DSS aims to make sure that all credit card details handled by a payment entity are handled securely. That includes both technical specifications, such as software that scrambles and protects individual credit card data, and training of any employees who might handle or have access to this type of sensitive payment information.
Understanding PCI DSS Requirements for Hotels
On its website, the PCI security council has outlined a number of steps that any organization handling credit card information need to take to stay in compliance. All of these steps apply to hotels as much as they do to other industries:
- Buy and use only approved PIN entry devices at your point-of-sale.
- Buy and use only validated payment software at your POS or website shopping cart.
- Do not store any sensitive cardholder data in computers or on paper.
- Use a firewall on your network and PCs.
- Make sure your wireless router is password-protected and uses encryption.
- Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe.
- Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
- Teach your employees about security and protecting cardholder data.
- Follow the PCI Data Security Standard.
Importantly, these standards apply regardless of the amount of size of transactions you process. A boutique luxury hotel is just as affected by and bound to PCI as the Ritz-Carlton.
To ensure compliance, the security council categorizes any merchant performing credit card transactions and storing cardholder information into one of three levels. A level 1 merchant processes more than 6 million transactions every year, and requires an annual on-site security audit as well as quarterly network scans. A level 2 merchant processes between 1 and 6 million transactions, also requiring quarterly network scans but only annual self-assessments in the process.
Level 3 merchants process between 20,000 and 1 million transactions per year, requiring an annual self-assessment and quarterly scans for continued compliance. Finally, level 4 merchants only require annual self-assessments and annual network scans, due to the fact that they process less than 20,000 credit card transactions yearly.
The Dangers of Noncompliance
Understanding the cost of noncompliance is the first major reason why PCI compliance should matter for your hotel. If you are found in violation of any of the above, a number of consequences could occur.
First, you become liable to lawsuits by your guests. You are directly responsible for any financial information processed by your hotel or processed by your servers. When that data is breached, and you haven’t followed the above standards, expensive settlements are almost a given.
In addition, failure to comply, when discovered, can lead to fees from the group of credit card companies that established the security standards. These fees may be charged on a per-transaction or monthly basis and can add up to becoming a significant cost in your transaction cycle.
In other words, not complying with PCI-DSS standard means incurring potentially significant financial damages. Of course, that’s only one side of the equation; the other relates to the comfort level your guests will have when sharing their credit card information with you.
Understanding Perception Benefits of PCI Compliance
Over the past few years, data breaches and public hacks have been in the global news almost constantly. The result has been not just an increased weariness of personal data stored on external servers, but also higher awareness of the potential that companies can be hacked than ever before.
For any hotel, being associated with this sort of data security issue can be devastating. Once your guests begin to stop believing that you will keep their credit card information safe, they will begin to frequent a competitor who can. Almost every company who has been in the news for a data breach has lost significant revenue, with some going out of business altogether.
Take Yahoo as an example. In the months since news of the initial hack broke, public perception began to sink. Verizon, scheduled to buy the internet giant, reduced its purchase price by $5 billion. By now, it’s synonymous with a lack of data security around the globe.
On the opposite end of the spectrum, increasing public awareness of data security issues can also work to your advantage. Your guests may not understand exactly what PCI compliance means, but they do appreciate any notice that verifies independently the safety of their personal and financial data. A verification seal, displayed both at your reception and online, helps them understand immediately that when they submit their credit card information online or at check-in, they can trust that it will be kept safe.
The results, then, can be the opposite of the dangerous noncompliance effects described above. Hotels who are open about compliance will raise the trust level among their audience, increasing the likelihood that they become the venue of choice over a competitor who is less open about keeping guest data safe.
Proactive Measures for Long-Term Success
Both of the above reasons point to one simple truth: in PCI compliance, it pays to be proactive. Rather than waiting until a breach is reported, implementing security measures that keep your guests’ credit card information safe now makes the most sense.
Part of the compliance mechanisms is described above. Customized training for your employees is vital, as are regular network scans and security audits or self-assessments. Comply with PCI DSS requirements, and you will receive a seal of approval that verifies your IT systems to have the best possible protection against potential breaches.
The seal also includes the date of verification, which is why continuous checks and updates are important. Investing resources into ensuring proactive compliance makes more sense than waiting until something goes wrong, and paying the financial, legal, and reputational price.
Naturally, one crucial step in that compliance process is making sure your processing software stays within these regulations. Anytime you process payments, the data has to be scrambled and secured immediately. With the right software, payment solution, training, and assessment strategy, you can be sure to stay within PCI guidelines and protect your data vulnerabilities. After all, you don’t want your hotel to be remembered like Yahoo, do you?
VP Marketing & PR at protel hotelsoftware GmbH, Germany.
Jeremy heads protel hotelsoftware’s marketing department.
He regularly demands cool beers and internet access, as well as great ideas for shaping positive user experiences.
He firmly believes in the power of change!