Payment Card Industry Data Security Standard (PCI-DSS) is an international security regulation, developed in cooperation with credit card companies to regulate the security of storing, processing and transmitting transaction and personal details.
To ensure credit card data remains as secure as possible, the PCI Data Security Standard (PCI DSS) offers a guideline with 12 central security areas. It consists of steps that mirror security best practices. The hotel will be held accountable if any breaches occur.
8 steps checklist to PCI compliance
(click on the subject to go to the text)
- Online distribution channels
- Level of user rights
- Offline storage of credit card details
- Online transaction codes
- Know who handled what
- Passwords, written codes and other written guest notes
- Secure your storage of data
- Encryption of all digital data
With a few steps, you can check if you meet some of the requirements for becoming PCI-DSS compliance. We do suggest to get in touch with a specialized office in helping you with your hotel security.
8 steps checklist PCI compliance - Does your hotel meet the requirements?
1. Online distribution channels
All distribution vendors that help you to optimize your online revenue are handling hotel and guest data between systems. If your in-house property management system (PMS) is storing credit card details of your guests, it is mandatory that you adapt your infrastructure to the PCI requirements.
2. Level of user rights
Put limitations on user rights when it comes to guest data. In many systems, you can add certain levels of user rights. Make sure that your staff members that need to handle credit card details are the only ones that have access to this data.
3. Offline storage of credit card details
PCI compliance is not only applicable to the digital storage of credit card details. Hardcopies that store credit card or guest information have also covered these rules. All printed documents containing such data should be securely stored and need to have restricted access as mentioned in step 2.
4. Online transaction codes
When accepting digital transactions an extra verification of the cardholder is sometimes required. The so-called CVC code. You are not allowed to request this code from your guests unless you are PCI-DSS compliant.
5. Know who handled what
If for some reason an incident occurs with a card, it is good to know who and what happened to the handling of the credit card. This goes hand in hand with unique user logins for your staff that handles the credit card details. But for an even better overview, assign unique ID’s to the staff who have access to the information.
6. Passwords, written codes and other written guest notes
Passwords are not always top of mind after a holiday, so you might be tempted to leave memos with written account details under the keyboard or even attached to the screen. Again, PCI is not only about online stored data, but also the offline work environment should be as secured as possible. There are many tools to store passwords safely. Work out a system with your staff that ensures that written memos with harmful data are not part of the daily routine anymore. Written and storage of private information is not allowed and are not PCI compliant.
7. Secure your storage of data
In theory, all computers and other stored files located at the reception are easily accessible for people who want to harm. Make sure to move all guest related documents and machines that are accessing credit card details to a secured location. Make sure that this area is secured with security cameras and not accessible to hotel guests and other non-hotel staff members.
8. Encryption of all digital data
Make sure that all your guest and hotel data stored in your hotel software systems are encrypted. Your IT/software vendor can help you with that. It’s important to select your software partner based on their strict regulated security rules. If the data is not encrypted, hackers have an easy time to do harm.
Other useful links:
- An introduction to PCI and GDPR compliance
- 11 Steps Checklist to GDPR Compliance
- Information about Hotel Data Security
For more than 16 years, SmartHOTEL has been helping hoteliers navigate the exciting world of online distribution. From our office based in the Netherlands and the United Kingdom, our team serves independent hotels, hostels and chains worldwide by providing channel management and tailored online distribution solutions. A lot has changed over the last years, but our goal remains the same: simply connect hotels to the world. For any questions regarding our services, please contact us at firstname.lastname@example.org or call +31 (0)182 75 11 18.