Last updated: March 1, 2020

PCI DSS is an abbreviation for the Payment Card Industry Data Security Standard. Contrasting GDPR, the PCI DSS is not considered a law, but a guideline established and maintained by an independent operation created by major payment card brands. If you want to accept credit cards from brands like VISA and MasterCard, it is essential to be compliant with this security standard. The PCI DSS can be identified as a collection of top practices or guidelines on how to manage the sensible payment card data assigned to you by your guests in order to prevent data breach and or fraud.

Do I have to be compliant?

Whenever you make an agreement with a payment service provider to operate credit cards on-premises or online, it is necessary to demonstrate your compliance. Depending on the payment supplier or the acquiring bank, you have to fill out a self-questionnaire and or need to conduct an on-site audit with a Qualified Security Assessor (QSA).

What can happen if I am not compliant with PCI DSS?

If payment card data entrusted to you is released or misused, the payment brands will penalize the acquiring bank. It is possible those fines will be passed to you (the merchant) if you are found to be non-compliant. The fines will typically be between 5,000 EUR and 100,000 EUR for every month you are non-compliant. In extreme circumstances, you might lose the right to accept payment cards from the major payment card brands. Additionally, you could face legal difficulties and a spoiled reputation. It is of best interest to see the rules from the PCI DSS as an aid that helps you to secure your business.

PCI compliance with HyperGuest

HyperGuest is a service provider for our customers and processes payment on their behalf. Consequently it is vital for us to guarantee that we are compliant with PCI DSS. We coordinate on-site audits every year to prove our compliance with PCI DSS. Our QSA Adsigo examines the technical implementation to pinpoint any potential threats of how sensitive cardholder data can be revealed, as well, checks our security policies and processes. If consent can be validated, we receive an attestation of compliance (AOC), which can be obtained by customers. With this AOC and the acknowledgment of responsibility from the contract you have with HyperGuest, hoteliers can easily fulfill the requirement 12.8 from the PCI DSS on service provider management.

Customer responsibilities

HyperGuest allows you to run your business in compliance with PCI DSS, however, there are still things that need to be put in order. Full details on which requirements are required to fulfill can be found on the official website of the PCI Security Standards Council.

E-Commerce and Mail Order / Telephone Order (MoTo)

If cards are accepted on your website, as well as other online channels like booking.com, or you accept credit cards for mail and telephone orders, then the PCI requirements will be related to restricting user access to cardholder data, securing compliance of your service providers and maintaining an incident response plan at max. This is also based on your bank or payment service provider.

Card-present with modern IP based card terminals

If you also process payment cards on-premises using a modern IP based terminal connected to the payment service provider through the internet, there will be added  conditions. Most banks or payment service providers will only require you to this high standard if you are processing a high volume of terminal transactions. Adyen currently only does it if you process more than 1mio transactions.

If this is the case, it is necessary to clearly separate the network of the IP terminals from the other networks in your hotel and have firewall rules in place that ensure the terminals can only communicate with the payment service provider through securely encrypted connections. All systems connected to the network of the IP terminals will belong to the so-called card data environment (CDE). Only authorized persons should be granted access to those systems, which also implies heavier policies and documentation efforts to you. In addition to this, you will have to run a quarterly external vulnerability scan.