PCI Compliance Confusion

PCI compliance can be very confusing and highly technical and the word “audit” isn’t high on anyone’s list of favorite words to hear especially when combined with PCI compliance. But PCI compliance doesn’t have to be scary! We’ve put together some information on PCI compliance in the hospitality world, some common terms, and tips on who to turn to when you get lost.

First, let’s start off with what PCI compliance is. PCI stands for the Payment Card Industry and the PCI  Security Standards Council has put in place security standards to protect cardholder’ data during financial transactions. These standards are applicable to all merchants who process, store, or transmit credit card data and they must have a secure environment.

When it comes to payment security, you need to protect your:

• Card readers
• Point of sale systems
• Your network
• Card data – both storage (this includes paper copies) and transmission
• Online payment applications (your online booking engine)

To ensure you’re compliant, your merchant account provider will send you compliance forms or self-assessment questionnaires (SAQs). These forms are basically validation tools to show that you are compliant. There are eight different forms available depending on what type of business you run and payment processing methods. You can find breakdowns of the different forms and eligibility requirements on the Understanding the SAQs for PCI DSS article.

At its core, the SAQ seeks to show that you maintain a secure network and vulnerability management program (have up-to-date anti-virus) protect sensitive credit card information and the transmission of that data, have access control measures (logins and passwords for systems), have regular tests of the system’s security, and have a documented policy outlining how you maintain the information’s security.

If you’re thinking that since you use third-party systems to process your payments that you’re excluded from PCI compliance, you’d be wrong. Any merchant that accepts credit card payments should comply with the security standards though using third-party systems can exponentially decrease any security risks and the time required to prove you’re compliant.

Glossary of terms

• Cardholder Data – This information includes the actual credit card number, PIN or CVV code, expiration date, name of the cardholder, their address, and Social Security number.
• MSP – A Merchant Services Provider (MSP) is the entity that allows you to accept and process credit card payments.
• PCI – Payment Card Industry, this covers credit, debit, and prepaid cards and associated businesses.
• PCI Security Standards Council – The Council is “a global open body formed to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security.” Founding members include American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.
• PCI-DSS – Payment Card Industry Data Security Standard, the standards set by the council to remain compliant.
• QSA – Qualified Security Assessor (QSA) is a trained and certified professional that performs PCI audits.

Who do I talk to?

If you’re still stuck with your form and not sure who to talk to first you should reach out to your MSP. They’ll know how to walk you through the form and provide instructions on items that aren’t clear cut. You can also reach out to your third-party partners but it’s best to go through your MSP.

If you’re really, really stuck, even after talking to your MSP, find a QSA to run your audit. There are many companies out there that have the technical know-how to run the security audits and ensure your property’s infrastructure is compliant.

Have any tips for innkeepers on how to ensure PCI compliance? Share them with us below in the comments section!