powering tour and activity businesses worldwide

Basics of PCI Compliance for tour and activity businesses

in Payments

PCI Compliance stands for “Payment Card Industry” Compliance which are a set of security standards developed by the credit card brands (Visa and Mastercard) to protect customer credit card data.  You have probably heard in the past about systems being hacked and credit card numbers being stolen by cyber thieves.  The PCI Data Security Standards were developed in order to ensure that merchants complied with certain security requirements or else face stiff penalties should something happen.

PCI Compliance is of extreme interest to the travel and tourism industry because, unlike most other industries, there is a time between the booking and the delivery of the service where the credit card needs to be stored in order to process the booking once the service is delivered or shortly before.  In a PCI Compliant environment, certain sensitive information such as CVV data cannot be stored and as such, you may be at risk of being fined should someone get a hold of this information.  The important thing to remember here, is that the standards don’t just apply to your website but also your business in general.  Storing credit card numbers on paper in an unlocked filing cabinet is just as a big a no-no as storing them on your reservation system.

Depending on the number of transactions you expect to do, your merchant level will differ and your requirements for compliance will change.  In general though, there are two parts to the compliance process:

  1. PCI Compliance Scans: This involves having a PCI Approved scanning vendor (like Trustwave for example) run regular vulnerability scans on your server or website to ensure that it meets minimum requirements.  If you are using a third part booking engine, then you should include them in the scan as well.
  2. Report on Compliance: This is a report that you submit to your merchant processor (or acquirer) that states your compliance with the standards.  The report is a set of pre-formatted yes or no questions that you answer and submit (generally on-line).  If you should fail any of the compliance questions, you will need to adjust your policies to ensure that you can correct the failure and re-submit the report.

Unless you are doing more than 6,000,000 transactions per year, then both the scan and the report can be completed through an on-line service provider like Trustwave or Security Metrics.  If you do more than 6,000,000 transactions then you will require a QSA (Qualified Security Analyst) to do an on-site audit of both your facilities and your server hosting environment.  Needless to say, this level of compliance is quite expensive.

In general, in order to be compliant, you need to:

  1. Ensure your website is properly secured.
  2. Protect cardholder information by encrypting it and NOT storing it after processing.
  3. Do not store the CVV or pin data at any time.
  4. Have up to date anti-virus on all your computers.
  5. Make sure everyone in your business has their own administrative account to your reservation system.
  6. Make sure credit card information is only made accessible on a need to know basis.
  7. Make sure your administration system has proper activity and security logging.
  8. Regularly test your security systems to make sure they are working and compliant.
  9. Maintain a security policy that addresses your security.

In reality, a security policy is simply a document that outlines what you do and why when it comes to security.  In the event of a security issue, your policy would provide guidance to you.

Remember that by using Rezgo, you are using a PCI Compliant service provider and in many cases, your PCI compliance requirements are reduced tremendously.

We would love your feedback