Have you received a call from your bank to ask if your hotel meets the PCI-DSS security standard? If so, you’ll already know what this is about, although maybe not so much on how to do it. If you haven’t received the call, you will receive it shortly. This article will be of interest to you in order to know what it’s about and how to anticipate it.
What is PCI-DSS? Does it affect my hotel?
It’s a security standard that affects the environments that works with or stores credit cards, something which directly affects every hotel.
It’s nothing more than a “good-practice manual” that all involved companies must adhere to. PCI-DSS means Payment Card Industry Data Security Standard and it was created by a credit card consortium that includes Visa, MasterCard and American Express among others.
What is the purpose of PCI?
Avoiding or minimising the many existing credit card frauds, something which has increased greatly with the arrival of the Internet and e-commerce.
Is it mandatory to be PCI-certified?
There is no law that enforces its compliance. However, it’s an essential requirement for entities who issue credit cards and the banks themselves, who may reduce their services or break contractual relationships in the event of not having a PCI certificate. The most usual threat from banks at this point is to withdraw the physical TPV service (dataphones).
Is that why banks are pressuring me about the PCI certificate?
It’s a domino effect. In the event of credit card fraud, issuing companies like Visa look to the banks, who then look to the business (hotel), and those look to their providers (PMS companies, channel managers, search engines, etc.).
Up until now, the bank required the hotel for all of its providers to comply with the PCI regulation and the hotel is right to demand that from them (Mirai has the PCI-DSS certificate). However, the requirement will broaden in a short space of time and it will force your hotel to also comply with the regulation. Are you ready?
How will the PCI compliance affect me? Will it change my everyday activities?
PCI will force you to carry out a deep technological change but also a change in your philosophy. There are many requirements that you will consequently have to revise and adapt to your operation. We won’t go into details because that’s not the point of the post although we will provide you with some simple examples that are good illustrations of the significance and philosophy of PCI.
- Unique users. Every receptionist or member of hotel staff who has access to or works with credit cards must have a unique user ID with the purpose of monitoring access individually in the event of an incident with a specific card. This will imply having many nominal accounts in the computers, the PMS and the Booking.com or Mirai extranet, something which will considerably complicate reception operations, for example.
- Booking confirmation faxes with the client’s credit card number. Maintaining this confirmation method becomes complicated to the point where it’s unfeasible. Having the fax machine in reception within everyone’s reach will happen no more. You will have to move the fax machine to an area with restricted access, with security cameras and a register of everyone who enters and leaves the area. The automatic import of bookings in your PMS will be your greatest ally to solve this problem.
- CVV2. Storing this data shall be strictly forbidden (requirement 3.2 of the regulation). If you cannot store it and you are not going to use it in real time, why ask for it? Also, you don’t need it for transactions with the physical TPV and it doesn’t help you with refunds. It’s best not to ask your clients for it when they make bookings (except for rates with the virtual TPV where the bank will request it to execute the charge) and this way get rid of the problem.
- If you have the PMS at the hotel and use it to store the credit card data, get ready for a big change. You will have to adapt your whole network architecture to comply with the regulation: separate the server in a different network with physical access control, security cameras and entrance and exit register. You will also have to add a firewall that controls and registers all access also in a third environment that is separate from the two first ones. A huge fuss. It’s best to find support in your PMS manufacturer to find the best solution. There is no doubt that cloud versions are recommended in these cases because, this way, you don’t store any credit card in your hotel.
- Training, documents and procedures. Get ready for an avalanche of documents that you will have to do (it’s recommended to find support in an external consulting company) and that you then have to follow. It will change your working ways in everything related to credit card use and handling. You will need an internal team that is responsible for the compliance of the regulation. Each new employee with access to credit cards will require training.
All of this makes us reach a scenario where every charge or guarantee method made by the hotel is made via centralised payment methods that are external to the hotel (companies like Google, Apple or PayPal are already advanced in this field), removing the risk of a security breach in the hotel itself.
What do I have to do to obtain the PCI certificate and how much does it cost?
The theory is long and tedious, so we won’t talk about it here. We will just say that there are 12 points that go from system architecture (firewall separation, credit card encryption, etc.) to security procedures and necessary documents. You can find a quick guide (40 pages, no less) here. A costly work but a necessary one, I’m afraid.
The certificate is free. However, the time and and resources employed to obtain it will cost a lot. Our recommendation is that you hire one of the many PCI consulting and certifier companies (a huge business which has emerged due to this new regulation) and let them lead you (in many cases, it won’t be an option but rather an obligation).
It will incur an initial cost from 10,000€ to 60,000€ depending on the requirement level that you have (the more credit cards handled every year, the higher the required security level will be). Large hotel chains from around the world handle other costs, of course. From the initial certificate, you will have to re-certify yourself every year, with the cost being much lower because most of the work is already done.
The time frame will also vary, but it could fluctuate between 3 and 12 months, once again depending on the amount of credit cards that you handle.
Does having the PCI-DSS certificate guarantee being exempt from fraud?
Sadly, no. Complying with the PCI-DSS regulation improves your security systems and level, decreasing the chance to have an incident, but it does not guarantee that it won’t happen 100%. In fact, every year, many companies with the PCI certificate suffer from credit card breaches and theft.
Security and fraud control is an intangible of increasing importance and being up to date with the regulation and good practices will avoid many potential future problems. This is why it’s a good investment. It’s normal that, as business owner, you find it hard to provide resources for something that shows no financial gain in the short or mid term.
However, banks have started to put the pressure on and this now seems unstoppable. The domino pieces have started to fall and sooner or later (6 months? 1 year? 2 years? Nobody knows…) it will be the time for the medium-size hotel chains piece to fall (the large hotel chains piece has already fallen), followed by individual hotels. Knowing what is coming is the least you can do. Anticipating it would be perfect.