How do you handle the credit card information of guests in your hotel? For many hoteliers, this is a tricky and complex subject. In this article, we list the most important issues concerning the safe handling of credit card information in an easy way. You can then check whether your operations are up to standard and whether you comply with the PCI-DSS regulations.
Why is it important to be fully PCI-DSS compliant?
Does your hotel accept physical or digital credit or debit card payments? If so, you are responsible for securely storing, processing and transmitting cardholder data. What the term "secure" means is defined in the international PCI-DSS regulations. You are not only legally obligated to comply; it is also in your interest to have these matters in order. For example, if you are an independent business owner, you don’t necessarily have the safe-guard of IT support and data network security of larger hotel chains. Data criminals know this, and that makes you a target for data attacks. When your hotel is a victim of a data breach, your brand name suffers a lot of damage. You will have to work hard to regain the trust of your guests. There are also often financial consequences, such as fines, lawsuits or losing the right to accept credit cards.
How to deal with the physical storage of credit card information
Rule number one: don't write down sensitive data and don't store it either. Destroy old copies with a shredder and dispose of it safely. If you do need paper back-ups, mark the sensitive card data with a thick black marker and store it in a safe (or locked cabinet) that few people have access to. Instruct your employees not just to write down guest card information anywhere. They should enter it directly at the designated protected location.
Pay attention to the digital storage of credit card data
Besides paper documents, it's also important to know where you digitally store credit card information (unknowingly), such as your email inbox. If you receive credit card information from a guest via email, delete the email immediately after processing it. If you want to respond to the email, open a new email or remove the credit card information in your response. These details may also be stored in your hotel software systems. We will come back to how to handle this under the heading 'hotel software'.
Protect your cash register and payment systems
Ensure that guests cannot access your cash register or payment systems (such as PIN machines) unnoticed. Make sure they are in a safe place and that no one can read your screens without your knowledge. This prevents criminals from manipulating your devices for skimming purposes.
Set user levels for your employees
Both physical and digital files containing credit card information should only be accessible to those employees who need it to do their jobs effectively. It is important to trust your employees, but incorrect handling of sensitive data is not always intentional. Make sure that this information is not easily accessible and set user permissions based on the employee's necessities. Don't know how to set user rights? Ask your software vendors to help with this.
Know if your hotel software (and hardware) is PCI-DSS compliant
What hotel software or hardware systems are you currently using that require to transmit or process payments? These are not just your cash registers or payment terminals. Consider also your reservation system, channel manager or online booking engine. The suppliers of your hotel systems have the same responsibility as you to comply with PCI-DSS standards. That they are obligated to comply as well, doesn't mean you should assume that everything is covered. Be sure you work with trusted vendors by informing yourself on the following topics:
- Which of your hotel systems process or store credit card information
- What your suppliers are doing to comply with the PCI-DSS standard
- What questions you need to ask them to find out
These are some questions you can ask the software vendor to find out if they handle your guests' credit card information responsibly:
- Is the product validated to PCI security standards?
- Does the product integrate other systems that contain cardholder data?
- If the product integrates and exchanges credit card data with other systems, is this protected with encryption?*
* Encryption ensures that credit card data is temporarily 'encoded' (packaged) as a token (series of numbers or characters) and rendered unreadable. When the token is in the right place, the data becomes decrypted and usable again.
Say goodbye to old payment systems safely
Are you switching to a new (payment) system? Ensure that your old devices are completely clean of sensitive credit card data before you sell or dispose of them. Otherwise, data can be retrieved and misused. Ask your vendor how to do this.
Secure your entire IT infrastructure
Now that you know what systems and applications process credit card data and how they protect it, you also need to make sure your internet is secure. The network that all these systems run on has to be well protected from attacks. Have antivirus software installed and enable automatic updates to keep the latest security.
Make it easier for yourself
There is a way not to have to worry about your guests' credit card information at all. One way to do this is by providing a direct integration between your payment provider and your reservation system. Such integration ensures that the payment provider's information goes directly into the reservation system, without a hotel employee's intervention. Credit card details no longer need to be manually retyped or printed out, allowing you to offer your guests more security than before.
Want to know more about payment integration through SmartHOTEL? Read more about our latest solution SmartCONNECT for Payment here!
This blog was written using the Information Resources for Small Merchants from the PCI security standards council. Do you have any questions about this article? Please send us a message!
For more than 16 years, SmartHOTEL has been helping hoteliers navigate the exciting world of online distribution. From our office based in the Netherlands and the United Kingdom, our team serves independent hotels, hostels and chains worldwide by providing channel management and tailored online distribution solutions. A lot has changed over the last years, but our goal remains the same: simply connect hotels to the world. For any questions regarding our services, please contact us at firstname.lastname@example.org or call +31 (0)182 75 11 18.