As an overwhelming amount of hospitality revenue is processed via credit cards, breaches and data theft have come into limelight. PCI DSS relates to minimising such risks by protecting card data. Let us explain.
What is PCI DSS?
PCI-DSS, or the Payment Card Industry Data Security Standard, is a set of safety regulations created by the major credit card associations to protect card data. It defines the best practices for card security that every company should implement, affecting accommodation providers of all sizes and in any location around the world.
Why Is It Needed?
For years the hospitality industry has been prone to cyber thefts due to the nature of the industry. Property owners tend to store card data in several different places: central reservation system, third party partners, the front desk, e-mails, and card authorisation forms – physical and virtual POS systems and PMS (Property Management Systems), including connected systems. There are simply too many places where card data is vulnerable to theft and intrusions are possible.
With this in mind, protection of data becomes even more important in a hospitality scenario.
What Are the Benefits?
Safety of customer! Because they feel safe transacting with you, you can expect loyalty and increased revenue.
How It Affects You on a Daily Basis?
Here are some points that you need to cover off to ensure PCI DSS compliance:
- POS compliant. Whether digital or physical your point of sale terminal must meet data security criterion. STAAH’s CovertDirect and Max Booking Engines both meet these criteria.
- PMS and Channel Manager compliance: Similar to your PMS, the data storage procedures need to meet the regulations set under PCI DSS. The high-performing STAAH’s Instant and Max Channel Managers undergo strict scrutiny every year to retain their PCI certification, assuring security for their clients.
- Access: Not everyone in your property should have access to credit card information. It should be restricted to employees who need this data only. You should also provide unique user IDs to all staff with access to this information.
- Credit card storage: As per PCI Compliance and privacy laws, not just digitally stored cards but also all paper documents containing personal data must be physically secured and adequately restricted at all times.
- CVV2: It is prohibited to ask your guests for this information unless you are complying with the PCI-DSS standards. If you accept online reservations and payments, you must provide a safe environment before requesting CVV2 data.
- Security area: Any data on paper relating to credit cards must be stored in a secure area with security cameras. Remember, security doesn’t only mean official information like booking confirmation faxes. Look out for, and eliminate, any unsecured data such as credit card details on sticky note – every receptionist is guilty of doing this at some stage in their career!
- Digital storage: Private data from all electronic systems such as Virtual POS must be encrypted.
How Much Does PCI Certification Cost?
The PCI DSS certificate is free but the process of obtaining it – the time and resources spent – can be expensive. It is imperative for properties of all sizes to choose partners, such as channel manager or booking engine that are PCI DSS certified.
Even though there are no immediate financial gains from PCI DSS, it is a good investment for every hospitality business and can help prevent future frauds or issues.