During a recent hotel stay, the front desk clerk asked for my credit card at check in. Not an unexpected request. What was surprising, however, was what the clerk did with my credit card. I marveled as she made an imprint of my credit card onto my registration form, where my name, address, frequent traveler and telephone numbers were also clearly printed, and proceeded to place the registration form on the counter where my information was visible to other guests and hotel employees. Already suspecting the answer, I asked politely if the hotel was complaint with PCI Standards. "PC what?" she asked with a friendly smile.
I gave her more specifics: "Is the hotel Payment Card Industry Data Security Standard (PCI DSS) compliant?" She had no idea what I was talking about. Later I sent an e-mail to the general manager where I explained what took place and asked my question again. I never received an answer.
Under the PCI DSS, a business or organization should be able to assure its customers that their credit card data, account information and transaction information is safe from hackers or any malicious system intrusion (www.pcicomplianceguide.org). This includes physical copies of consumers' credit card information. When credit card information is accessible in combination with a consumer's identifying information, it's a recipe for identity theft.
During a recent hospitality-related conference, I had a chance to chat with many operators. I asked them the same question: Are you compliant? The answer I got was the same: We do not know.
There is still a great deal of confusion surrounding PCI Standards in the hospitality industry. Some operators report hearing that compliance is optional, not mandatory. Others think their software vendor is responsible for compliance. Vendors are also confused. Some think it is the operator's responsibility, while others place ownership squarely on the credit card authorization company. However, once a consumer sues a hotel or restaurant and wins a multi-million dollar lawsuit for identity theft as a result of non-compliance, everybody will be clear.
By the end of this year, any organization accepting payment card transactions must be in compliance with PCI DSS. In my experience, most hospitality professionals think that complying with PCI DSS is someone else's responsibility. Consider it your responsibility and do your checkups early before it is too late. Non-compliance with PCI DSS has serious monetary consequences and can also have a detrimental impact on public opinion. Compliance with PCI DSS is a lengthy process, therefore it is important to start early. After all, these precautions will better secure your network and ultimately help protect the future of your business.
PCI COMPLIANCE HELP:
The Payment Card Industry Data Security Standard (PCI DSS) applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. Literally, all hospitality organizations will qualify under this.
If you are one of the above, PCI compliance is not a request or suggestion. It is now a requirement.
Create a task force for PCI compliance. This taskforce should include entry and management level representatives from IT and operations. If possible, an advisor from the vendor community is quite beneficial. Once this taskforce is ready, it should conduct an internal audit to determine current level of compliance. The tools needed for this audit are easily available online at www.pcisecuritystan dards.org.
Extra attention should be paid to any wireless transactions. Wireless technology is considered the least secure by the PCI Council. Therefore, wireless hospitality applications that carry credit card information such as a wireless point of sale terminal should be evaluated very carefully.