{"id":4504,"date":"2022-10-12T02:29:32","date_gmt":"2022-10-12T09:29:32","guid":{"rendered":"https:\/\/cardonet.com\/news\/?p=4504"},"modified":"2022-10-12T02:29:39","modified_gmt":"2022-10-12T09:29:39","slug":"hotel-pci-compliance","status":"publish","type":"post","link":"https:\/\/cardonet.com\/news\/hotel-pci-compliance\/","title":{"rendered":"Hotel PCI Compliance"},"content":{"rendered":"\n

When credit and debit cards began to replace cash as the default method of payments, hoteliers and guests shared a sigh of relief.\u00a0<\/p>\n\n\n\n

Paying by card is great for both<\/strong> – customers don\u2019t have to worry about carrying cash around and hotel staff don\u2019t have to go through the hassle and worry of transporting that cash to the bank.<\/p>\n\n\n\n

However, while card payments eliminated one security risk, it added another. Guests\u2019 card information is valuable to cyber-criminals<\/strong>. It\u2019s your responsibility, as the hotel operator, to protect your customers\u2019 information from data breaches. If you don\u2019t, your guests could become the victims of payment fraud <\/strong>– that doesn\u2019t, usually, translate into 5-star TripAdvisor scores.<\/p>\n\n\n\n

That\u2019s why\u00a0PCI compliance for hotels<\/a>\u00a0is so important<\/strong>.<\/p>\n\n\n\n

What is PCI (Payment Card Industry) compliance for hotels?<\/strong><\/h2>\n\n\n\n

The PCI Data Security Standard is a set of rules that governs how hotels should handle and store their guests\u2019 card payment information. If your business accepts card payments, you are responsible for following these requirements<\/strong>. <\/p>\n\n\n\n

What are my hotel\u2019s PCI compliance requirements?<\/strong><\/h2>\n\n\n\n

The exact requirements will depend on the volume of card payments your hotel processes. The most stringent rules apply to businesses that process more than 6m transactions a year. These businesses are considered \u2018Level 1\u2019. <\/p>\n\n\n\n

The levels run from 1 to 4. In level 4, you\u2019ll find businesses with under 1m transactions a year, and the simplest compliance process.<\/p>\n\n\n\n

We must note, however, that it is up to your card operator\u2019s discretion<\/strong> – if you, for example, have previously suffered a data breach, they are able to put you in \u2018Level 1\u2019, even if your yearly transactions total less than 6m.<\/p>\n\n\n\n

The 12 requirements of PCI Compliance for a hotel<\/strong><\/h2>\n\n\n\n

Regardless of what level applies to your hotel, there are 12 general PCI requirements that apply to all businesses which accept card payment.<\/p>\n\n\n\n

  1. Firewalls<\/strong>: You must install firewalls to protect your guests\u2019 card information.<\/li>
  2. No default passwords<\/strong>: As tempting as it may be to use the password that came with the card machine, it is a huge security risk.<\/li>
  3. Protect your guests\u2019 cardholder data<\/strong>: You shouldn\u2019t store cardholder data unless you need to, but if you do, it is your responsibility to make sure that that data is protected.<\/li>
  4. If you’re transmitting data over public networks, you need to encrypt it<\/strong>: When you transmit data over public networks, you run the risk of having that information be intercepted by hackers. Encrypting that data means that only authorised parties can access it. <\/li>
  5. Update your antivirus software<\/strong>: How many of us have clicked \u201cNot now\u201d when faced with a reminder that your antivirus software needs an update? It\u2019s one thing to do that with your private computer, but it\u2019s a completely different situation when your guests\u2019 card information is at stake. You must ensure that all the computers, or devices, that have access to cardholder information are using good, up-to-date anti-virus software.<\/li>
  6. Maintain system security<\/strong>: Your hotel should ensure that it installs the latest security patches and responds to vulnerabilities effectively.<\/li>
  7. Restrict access to the data<\/strong>: Access to your guests\u2019 cardholder data should be on a strict, need-to-know basis.<\/li>
  8. Unique IDs for authorised users<\/strong>: Of course, you are going to have to have some staff that are authorised to access cardholder data – they should be assigned unique IDs so that their access can be monitored, tracked, and flagged for any irregularities. <\/li>
  9. Restrict physical access to the data<\/strong>: Installations of card processors, for example, should be monitored.<\/li>
  10. Track and monitor access to networks and cardholder data<\/strong>: Log and monitor who has access to your hotel\u2019s network resources and cardholder data.<\/li>
  11. Regularly test security<\/strong>: The only way to be sure that your security is up to scratch is to regularly test it.<\/li>
  12. Maintain a business-wide security policy<\/strong>: This should be updated yearly, and the information within the policy should be distributed to all of your employees.<\/li><\/ol>\n\n\n\n

    How does your hotel become PCI compliant?<\/strong><\/h2>\n\n\n\n

    In an area as regulatorily and technically complex as this, it\u2019s recommended that you hire a technology partner to help you become, and stay, PCI compliant. <\/p>\n\n\n\n

    We at Cardonet are hospitality IT support specialists and have helped hotels with every step of the PCI compliance process. <\/p>\n\n\n\n

    Here\u2019s a sense of the steps that we would take if we partnered with your hotel.<\/p>\n\n\n\n

    1. Audit your current card payment security<\/strong>. This will help us get a sense of where you\u2019re already PCI compliant, and where your vulnerabilities are.<\/li>
    2. Gap analysis<\/strong>. We\u2019ll investigate your current system and perform a thorough gap analysis – that\u2019s where we look at where you are now, where you need to be to achieve PCI compliance, and what you need to do to get there.<\/li>
    3. Define and implement policies for improvement<\/strong>. Now that we have a sense of what your hotel needs to do, we\u2019ll create and implement the internal policies that ensure that your card payment processing systems are in accordance with the 12 requirements of PCI compliance.<\/li>
    4. Making sure everything is up and running<\/strong>. There\u2019s no use in implementing new policies only to find that they are not working for your business. We\u2019ll scan, test, and monitor your new set-up to make sure that isn\u2019t the case.<\/li>
    5. A final audit<\/strong>. This is where we\u2019ll make sure that your hotel is now comprehensively PCI compliant.<\/li><\/ol>\n\n\n\n

      While this may seem like a large undertaking, there are some huge upsides to your hotel being PCI compliant – and that\u2019s not only avoiding fines!<\/p>\n\n\n\n