When looking into taking online bookings, I'm sure you've been bombarded with the need for 'PCI compliance' - but what does this actually mean? What does it do for your business? PCI compliance stands for Payment Card Industry Compliance. These are a set of rules surrounding security standards online, created by Visa and Mastercard to help protect customer credit card data.
Unlike other industries, the travel and tourism sector have a special interest in these standards - simply because there is usually a substantial amount of time between a booking and the delivery of services. During this time, customer's card details have to be kept safe. However, the storage of customer's card details over any amount of time is against the PCI compliant's guidelines. This isn't just an online thing either, storing card details in an unlocked filing cabinet is a huge no-no! If someone was to get ahold of your customer's data, you are liable for a hefty fine.
Your requirements for compliance will depend on how many transactions you do. For the majority of companies (under 6,000,000 transactions per year), there are just two parts to be fully compliant with the guidelines:
- Report on Compliance Submitted to your merchant processor/acquirer, it simply states your compliance. Usually completed online, it consists of a series of yes/no questions. If you fail on any part of the report, you will need to adjust your procedures and re-submit the report.
- PCI Compliance Scans
These scans must be ran at regular intervals by a PCI approved vendor (i.e.TrustGuard or Security Metrics). They search for vunerability on your server and website to make sure it is meeting minimum requirements. If using a booking engine (like Booking Buddha), you must include them in the scan too.
If you are a larger company and complete over 6,000,000 transactions per year, you will have to have an on-site audit completed by a Qualified Security Analyst.
Here's a quick 8 point guide for general compliance:
- Ensure your website is secured properly
- Do not store cardholder information after processing. Encrypt it while it is being used
- Keep credit card info on a strict security access level
- Keep an up-to-date security policy
- Give employees their own accounts within the reservation system (if needed)
- Test security systems on a regular basis to ensure they're working correctly
- Ensure your admin system has activity and security logging facilities
- Update all anti-virus software on ALL computers within the company