Credit Card Acceptance at Hotels – Understanding the Risk of Theft and Fraud

NOTE: To view the following information in Gujarati, please click here.

Acceptance of credit cards for payment has grown exponentially at small businesses across the US. Hotels of all sizes should be aware of the risk for theft and fraud, and take action to combat this by certifying with the industry standard for handling credit card data, called the Payment Card Industry Data Security Standard (PCI-DSS). The PCI DSS is required for all businesses accepting credit cards.

What is PCI DSS? The five major card networks (American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa Inc.) established the PCI DSS as a set of requirements for business of all types to use when configuring their IT and payment-processing environments. Understanding the requirements is the first step. Some businesses will need IT support to ensure all of the requirements are met prior to taking action to certify compliance. (For additional information, please visit www.pcisecuritystandards.org.) The 12 requirements are as follows:

Install and maintain a firewall configuration to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored data
Encrypt transmission of cardholders data sensitive information across public networks
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Restrict access to data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security

What does a hotel need to do to certify PCI DSS Compliance: There are two components required to validate or “prove” that a business has achieved PCI DSS compliance certification:

Self-Assessment Questionnaire: All businesses are required to self-assess their IT and payment processing environment using the appropriate PCI Self -Assessment Questionnaire (SAQ). Please see the PCI Security Standards site for examples of the four questionnaires, www.pcisecuiritystandards.org.
Vulnerability Scanning: Depending on how you process payments and the Internet connection, network vulnerability scanning may also be required. (This step requires an Approved Scanning Vendor (ASV). The list of ASVs can be found at https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml)

The questionnaire and the scanning will help identify if any weaknesses or vulnerabilities exist in the network. These issues must be fixed before PCI DSS certification can be achieved.

Certification with PCI DSS is achieved with both a compliant, passing questionnaire and if necessary for your business, compliant, passing compliant vulnerability scanning. There are many tools available in the marketplace to help hotels achieve these steps easily. Your business may have been automatically enrolled in PCI DSS programs by your bank, processor or acquirer. If you are unsure if you are PCI DSS compliant or enrolled in a program, please call your payment processing provider.

How to get started:
Trustwave (www.trustwave.com) is a leading provider of compliance and information security to the payment industry, serving merchants of all sizes. Trustwave is both an Approved Scanning Vendor and a Qualified Security Assessor, and is certified to validate organizations’ compliance with the PCI DSS. AAHOA has partnered with Trustwave to provide certification services at a preferred price. Please visit www.trustkeeper.net. To ensure you receive the discounted pricing, in the upper left-hand box, enter AAHOASAQ1 if you just require access to the PCI Self-Assessment Questionnaire (SAQ), or AAHOASCAN2 if you require access to the SAQ and vulnerability scanning.

How do I know if I need to scan?

If you have any computers or terminals connected to the Internet that are involved in the transmission, storage, or processing of cardholder data, then your network will require a vulnerability scan.
If you have an e-commerce Web site that accepts credit card payments, then your e-commerce Web site will need to be scanned as part of the PCI compliance validation process.

All IP addresses and Web sites involved in the transmission, storage, or processing of cardholder data must be scanned for your business to be validated as PCI compliant.

Enrollment Code	Examples
AAHOASAQ1	Dialup terminals, imprint machines, no Internet-based processing, no electronic cardholder data storage
AAHOASCAN2	IP-based terminals, virtual terminals, POS systems connected to the Internet, electronic cardholder data storage

Trustwave and AAHOA want to make sure that you understand the basics of “PCI”, how it applies to your business, and steps needed to complete your PCI certification through the TrustKeeper portal. Therefore, we strongly encourage you to view the “PCI Compliance 101” Webinar by clicking the link below: