Online booking system security should be taken very seriously.
PCI Compliance stands for “Payment Card Industry” Compliance which are a set of security standards development by the credit card brands (Visa and MasterCard) to protect customer credit card data. You have probably heard in the past about systems being hacked and credit cards numbers being stolen by cyber thieves. The PCI Data Security Standards were developed in order to ensure that merchants complied with certain security requirements or else face stiff penalties should something happen.
PCI Compliance is important to the tour and activity operators because there is a time between the booking and the delivery of the service where the credit card needs to be stored in order to process the booking once the service is delivered or shortly before. This however is not allowed in a PCI Compliant environment and as such, you may be at risk of being fined should someone get a hold of your customer’s credit card data. The important thing to remember here, is that the standards don’t just apply to your website but also your business in general. Storing credit card numbers on paper in an unlock filing cabinet is just as a big a no-no as storing them on your reservation system.
Depending on the number of transactions you expect to do, your merchant level will differ and your requirements for compliance will change. In general though, there are two parts to the compliance process:
- PCI Compliance Scans: This involves having a PCI Approved scanning vendor (for example TrustWave) run regular vulnerability scans on your server or website to ensure that meets minimum requirements. Rezgo, for example, is scanned on a daily basis by Norton and quarterly by TrustWave.
- Report on Compliance: This is a report that you submit to your merchant processor (or acquirer) that states your compliance with the standards. The report is a set of pre-formatted yes or no questions that you answer and submit (generally online). If you should fail any of the compliance questions, you will need to adjust your policies to ensure that you can correct the failure and re-submit the report.
Unless you are doing more than 6,000,000 transactions per year, then both the scan and the report can be completed through an online service provider like TrustWave. If you do more than 6,000,000 transactions then you will require a QSA (Qualified Security Analyst) to do an on-site audit of both your facilities and your server hosting environment. Needless to say, this level of compliance is quite expensive.
In general, in order to be compliant, you need to:
- Ensure your website is properly secured. If you are using Rezgo, this is taken care of for you.
- Protect cardholder information by encrypting it and NOT storing it after processing. Rezgo handles this for you.
- Have up to date anti-virus on all your computers.
- Make sure everyone in your business has their own administrative account to your reservation system. Rezgo allows you to have as many administrative accounts as you require, at no extra cost.
- Make sure credit card information is only made accessible on a need to know basis. If you are using a payment gateway with Rezgo, the credit card information is never shown.
- Make sure your administration system has proper activity and security logging. Rezgo includes this reporting and logging by default.
- Regularly test your security systems to make sure they are working and compliant. Rezgo does this for you so you don't need to worry about it.
- Maintain a security policy that addresses your security.
In reality, a security policy is simply a document that outlines what you do and why when it comes to security. In the event of a security issue, your policy would provide guidance to you. Feel free to use the Rezgo Security Policy as an example when creating your own.
Note about Rezgo and CVV2 Numbers
You may be tempted to use a online booking system that either stores the CVV2 or emails it to you when a booking is made. It is important to know that this is in direct violation of PCI regulations and you may be at risk of fines and processing prohibition should your provider experience a security breach. If you need to process credit cards using your terminal, you must ensure that your terminal allows for Card-not-present transactions without CVV2.