8 steps checklist to PCI compliance - Does your hotel meet the requirements?
Payment Card Industry Data Security Standard (PCI-DSS) is an international security regulation, developed in cooperation with credit card companies to regulate the security of storing, processing and transmitting transaction and personal details.
To ensure credit card data remains as secure as possible, the PCI Data Security Standard (PCI DSS) offers a guideline with 12 central security areas. It consists of steps that mirror security best practices. The hotel will be held accountable if any breaches occur.
With a few steps, you can check if you meet some of the requirements for becoming PCI-DSS compliance. We do suggest to get in touch with a specialized office in helping you with your hotel security.
8 steps checklist PCI compliance - Does your hotel meet the requirements?
1. Online distribution channels
All distribution vendors that help you to optimize your online revenue are handling hotel and guest data between systems. If your in-house property management system (PMS) is storing credit card details of your guests. It is mandatory that you adapt your infrastructure to the PCI requirements.
2. Level of user rights
Put limitations on user rights when it comes to guest data. In many systems, you can add certain levels of user rights. Make sure that your staff members that need to handle credit card details are the only ones that have access to this data.
3. Offline storage of credit card details
PCI compliance is not only applicable to the digital storage of credit card details. Hardcopies that store credit card or guest information have also covered these rules. All printed documents containing such data should be securely stored and need to have restricted access as mentioned in step 2.
4. Online transaction codes
When accepting digital transactions an extra verification of the cardholder is sometimes required. The so-called CVC code. You are not allowed to request this code from your guests unless you are PCI-DSS compliant.
5. Know who handled what
If for some reason an incident occurs with a card, it is good to know who and what happened to the handling of the credit card. This goes hand in hand with unique user logins for your staff that handles the credit card details. But for an even better overview, assign unique ID’s to the staff who have access to the information.
6. Passwords, written codes and other written guest notes
Passwords are not always top of mind after a holiday, so you might be tempted to leave memos with written account details under the keyboard or even attached to the screen. Again, PCI is not only about online stored data, but also the offline work environment should be as secured as possible. There are many tools to store passwords safely. Work out a system with your staff that ensures that written memos with harmful data are not part of the daily routine anymore. Written and storage of private information is not allowed and are not PCI compliant.
7. Secure your storage of data
In theory, all computers and other stored files located at the reception are easily accessible for people who want to harm. Make sure to move all guest related documents and machines that are accessing credit card details to a secured location. Make sure that this area is secured with security cameras and not accessible to hotel guests and other non-hotel staff members.
8. Encryption of all digital data
Make sure that all your guest and hotel data stored in your hotel software systems are encrypted. Your IT/software vendor can help you with that. It’s important to select your software partner based on their strict regulated security rules. If the data is not encrypted, hackers have an easy time to do harm.
Other useful links:
- An introduction to PCI and GDPR compliance
- 11 Steps Checklist to GDPR Compliance
- Information about Hotel Data Security
SmartHOTEL specializes in Oracle integrations with the main focus on integrated distribution solutions to Oracle Hospitality Distribution Cloud Services, OPERA and Suite8 systems and is the technology provider behind Oracle’s Channel Manager. Our knowledge of support, consultancy and technology meet the highest expectations of the hospitality market. For any questions regarding our solutions or anything else, feel free to contact us on +31 (0)182 75 11 18, or mail to email@example.com