Hospitality & Entertainment Financial Services Assessment & Optimization

The surprising secret to your dream vacation: PCI DSS requirements

08/16/2022

by Sean Sims

You’ve got the perfect vacation planned down to the last detail – flights, hotels, restaurants, and family activities are booked. As soon as you leave work and vacation mode begins, the last thing on your mind will be how your payment card data will be handled during your trip. Thankfully, other people are thinking about that for you – merchants, service providers, card networks, and the Payment Card Industry Security Standards Council (PCI SSC). These bodies leverage PCI DSS requirements to help ensure your data is protected.

What are PCI DSS requirements?

The Payment Card Industry Security Standards Council (PCI SSC) was created by Visa, MasterCard, American Express, Discover, and JCB to combat payment card fraud. They developed the PCI Data Security Standards (DSS), which applies to all businesses that process, store, or transmit payment card information and defines a set of requirements to ensure secure data handling.

The PCI DSS is constantly being reviewed and adjusted to ensure it adapts to current needs and new threats. In April 2022, PCI DSS v4.0 was released and merchants will have 2 years to adjust to these updated standards. At a very high level, the PCI SSC divides the DSS into the following areas:

Graphic detailing PCI DSS Requirements

For each of these “big picture” requirements and best practices, the PCI DSS provides much more detailed, technical guidance. One of the nuances to the guidance comes from the fact that merchants are categorized into 4 different levels according to their payment card transaction level over a 12-month period. A Level 1 merchant (high transaction volume) will have the strictest, more scrutinized DSS requirements; a Level 4 merchant will have the most lenient requirements.

PCI in hospitality

In the hospitality industry, a good reputation is correlated with success. Customers often look at online reviews, ask for word-of-mouth recommendations, or use their previous knowledge before choosing hotels, restaurants, or recreational activities. When a hospitality business chooses not to comply with the PCI DSS, they’re at risk of damaging that all-important reputation (and incurring hefty fines) if a data breach is incurred.

Unfortunately, the hospitality segment accounts for 40% of credit card breaches and credit card theft worldwide. In recent years, multiple major industry leaders announced substantial data breaches, including Marriott, MGM Resorts, and Choice Hotels. This can make customers think twice before handing over their payment card.

What makes this industry susceptible?

There are several reasons that the hospitality industry is highly susceptible to cyber attacks:

High Revenue. This is a global industry that generates 550 billion dollars in annual revenue, making it attractive for hackers and thieves.
Security Self-Assessments. The PCI SSC does not actively validate DSS compliance. Merchants provide compliance self-attestations, and only Level 1 merchants require an audit by a qualified security assessor. This could result in smaller merchants using legacy or non-secure software and systems, sometimes without even realizing that they are non-compliant.
Frequent Data Handling. Hotels process card data in several locations, such as their central reservation system, third party software, front desk check-in, e-mails, call centers, websites, authorization forms, and POS systems. The more places this data is located, the more vulnerable it is.
Unsecure Point-of-Sales (POS) systems. The most common breach type is a POS breach. Some merchants enact POS systems that are not secure enough due to insufficient vetting or improper controls.
Human Error. Combatting security risks relies on ensuring employees are equipped to recognize phishing attempts, understand cybersecurity best practices, and are aware of the risks of non-compliance.

How can merchants mitigate risks?

There are some key things merchants should keep in mind to better protect customers’ data:

Identify and address gaps early. When merchants perform a proactive PCI-compliance assessment, they’re in a better position to identify, prioritize, and address security gaps. Because best practices continue to evolve, it’s important to address data security on a regular basis. The PCS SSC provides various tools to assist, including a Self-Assessment Questionnaire (SAQ), Prioritized Approach tool, and a Penetration Testing guide. Third-party firms, like Sendero, can also lead proactive process and technology implementation efforts.
Diminish how frequently customers’ payment cards are “touched.” The more often merchants interact with payment card data, the more likely it is that a data breach will occur. Leveraging contactless transaction technology for hotel check-ins or online orders is one way to mitigate the opportunity for human error in the transaction process.
Proactively perform due diligence. For any new device or software purchase, merchants should require a PCI compliance certificate from the service provider and review it for validity. The PCI SSC provides a list of approved devices and payment application software that has been vetted for secure data processing.
Conduct frequent staff training. Staff at all levels should understand how cardholder data should be protected and the potential security risks. To account for staff turnover, new hires, and normal forgetfulness of procedures, merchants should establish a frequent training cadence.

With constant changes and advances in technology come added data security threats. The silver lining? Merchants, service providers, card networks, and the Payment Card Industry Security Standards Council (PCI SSC) are actively working to identify and mitigate these threats so that you can use your payment card and enjoy your well-planned vacation.

Looking for help in navigating the newest set data security standards? Connect with one of our consultants using the form below.