in Payments

PCI Compliance stands for “Payment Card Industry” Compliance, a set of security standards developed by the credit card brands (Visa and Mastercard) to protect customer credit card data.  You have probably heard about systems being hacked and credit card numbers being stolen.  The PCI Data Security Standards were developed in order to ensure that merchants met certain security requirements to help protect that data or else face stiff penalties should something happen.

PCI Compliance is of extreme interest to the travel and tourism industry because, unlike most other industries, there is a time between the booking and the delivery of the service.  In a PCI Compliant environment, certain sensitive information such as CVV data cannot be stored and as such, you may be at risk of being fined should someone get a hold of this information.  The important thing to remember here is that the standards don’t just apply to your website but also your business in general.  Storing credit card numbers on paper in an unlocked filing cabinet is just as a big a no-no as storing them on your booking system.

Depending on the number of transactions you expect to do, your merchant level will differ and your requirements for compliance will change.  In general though, there are two parts to the compliance process:

  1. PCI Compliance Scans: This involves having a PCI Approved scanning vendor (like Trustwave for example) run regular vulnerability scans on your server or website to ensure that it meets minimum requirements. If you are using a third-party booking engine, it’s possible that your PCI Compliance requirements will be reduced because they’re providing all your credit card processing. Otherwise, you should include them in the scan as well.
  2. Report on Compliance: This is a report that you submit to your merchant processor (or acquirer) that states your compliance with the standards.  The report is a set of pre-formatted yes or no questions that you answer and submit (generally online).  If you should fail any of the compliance questions, you will need to adjust your policies to ensure that you can correct the failure and re-submit the report.

Unless you are doing more than 6,000,000 transactions per year, then both the scan and the report can be completed through an online service provider like Trustwave or Security Metrics.  If you do more than 6,000,000 transactions then you will require a QSA (Qualified Security Analyst) to do an on-site audit of both your facilities and your server hosting environment.  Needless to say, this level of compliance is quite expensive.

In general, in order to be compliant, you need to:

  1. Ensure your website is properly secured.
  2. Protect cardholder information by encrypting it and NOT storing it.
  3. Avoid storing CVV or pin data at any time.
  4. Have up-to-date antivirus protection on all your computers.
  5. Ensure everyone in your business has their own account for your booking software.
  6. Make sure credit card information is only made accessible on a need-to-know basis.
  7. Make sure your administration system has proper activity and security logging.
  8. Regularly test your security systems to make sure they are working and compliant.
  9. Maintain a security policy that addresses your security requirements.

In reality, a security policy is simply a document that outlines what you do and why when it comes to security.  In the event of a security issue, your policy would provide guidance.

Fortunately, by using Rezgo, you are using a PCI Compliant service provider. In most cases, your PCI compliance requirements are reduced tremendously.