Don’t Risk It
If you operate your hotel without the necessary measures to protect your business and your customers from a hack or data breach, you are exposing your business and customers to risk. If you use online partners who are not fully compliant with the Payment Card Industry’s standards, then you are the one who will ultimately suffer. Without the proper controls your confidential information and your customers’ personal information and credit card details could be hacked into, causing immeasurable damage. You need to protect your reputation by making sure that your most valuable asset - your customer - and their data is managed well. PCI Digital Security Standards (DSS) compliance gives you the peace of mind that your suppliers know what they are doing. Bookassist operates across many countries and constantly monitors international legislative developments for the benefit of our hotel clients.
- Bookassist is PCI DSS compliant, was one of the first in the online bookings business to be compliant, as has retained compliance for many years.
- Bookassist is a registered VISA Merchant for PCI purposes - just search for Bookassist on this link: https://www.visamerchantagentslist.com/
Before you engage with an online provider, search for their status on https://www.visamerchantagentslist.com/ and request their PCI-DSS compliance statement.
What is PCI DSS?
Payment Card Industry Data Security Standards (PCI DSS) are technical and operational standards that were created by the major credit cards companies (Visa, Mastercard, American Express) in 2004, and have been upgraded continually since. The standards apply to all organisations who store, transmit or process cardholder data. PCI DSS is an industry standard and is not actually a legal requirement in Ireland and many other countries. The aim of PCI DSS is to set standards that assist in the prevention of fraud. Being PCI DSS compliant does not mean that you won’t have a data breach but it does mean that in the event of a data breach arising, the credit card companies will support you.
What you can / cannot do?
For starters, hotels or any business should not under any circumstances store CVC (card verification code) numbers (also known as CVV or CVV2). CVC numbers are personal numbers on credit cards and are similar to a personal signature. In the event of fraud arising, card details without CVC numbers are less useful to fraudsters.
- Access to machines that hold reservation information should be restricted and passwords should never be shared between staff.
- Cardholder information should not be kept or transmitted in an unsecure manner. Where you are sending or receiving cardholder information by fax or email, you need to ensure that the network used is secure and encrypted to protect the information. Standard email is never secure and should never be used for credit cards by anyone. The strongest risk in hotels is actually with credit card details on fax paper or printed emails left lying around.
- Staff should be trained on the importance of protecting cardholder data.
Consequences of non-compliance
Non-compliant businesses can face fines from the credit card companies, brand damage, potential lawsuits, insurance claims, difficult business conditions and a negative impact on customers. In the case of the data breach suffered by the Radisson Group in recent years, they had to contact guests to ask them to check their account statements for unauthorized purchases - hardly good for your image. Wyndham Worldwide Group were recently charged by the Federal Trade Commission in the US for three separate data breaches which, it is claimed by the FTC, resulted in $10.6m lost to fraud.
How Bookassist complies with PCI DSS
Bookassist takes compliance with PCI DSS seriously and we go to considerable effort and cost to achieve the standards of compliance. All hotel clients of the Bookassist system must sign up to the PCI DSS standards, all access to our system is logged and access to the system is password protected (and passwords need to be re-set every 90 days). CVC numbers are never logged on the Bookassist system and are not available to hotels in accordance with PCI DSS. Customer cardholder data can only be viewed for up to one month following the customer’s departure date. After that date, the information is automatically deleted from the Bookassist system and cannot be retrieved. In addition to this, Bookassist have a dedicated Security Officer with responsibility for all PCI DSS compliance and security issues, a full incident response team and response plan in the event of any issues arising and staff on call 24/7/365. We have invested heavily in hardware and software to ensure security and monitoring and we have an annual external audit, part of which consists of hack attempts at our systems and monitoring how these attempts are dealt with automatically by our system. At Bookassist we feel that the investment we have made in PCI DSS compliance is important for us - and for our hotel clients. —
Dr Des O’Mahony is CEO and founder at Bookassist (bookassist.org), the award-winning technology and online strategy partner for hotels worldwide.