Earlier this month, we hosted a fascinating live webinar on processing card payments in hotels. The complex topic of PCI compliance was broken down brilliantly by a fantastic panel of industry experts.
Read the full transcript, below:
More Fire PR’s Director Mark Ferguson
- Tracey Long (Senior Manager Payment Data Security, Worldpay, PCI SSC Board of Advisors Member 2015-2017 & Chair UK Acquirers Compliance SIG)
- Connie G. Penn MIBC (Managing Director Kilrush Consultancy Ltd, Vice-Chair UK Acquires Compliance SIG)
- Paul Brennecker CISM (experienced Principal Consultant / QSA, heading up the PCI team at Security Risk Management Ltd, formerly a member of the PCI compliance team at Barclaycard in Northampton)
MF: “Thank you for joining us today at Welcome Systems for this very topical discussion and Q&A on processing card payments and PCI compliance for the hospitality industry. I’m joined by an expert panel of guests who are going to talk us through this entire issue.
“We’ve gathered up a series of questions for our panel today. We’ve been talking to hoteliers throughout the UK about what it is that worries them about PCI compliance, what some of their concerns are and what questions they have going forward.
“Tracey - I think the first question would be a good one for you and sets the scene. This is from Phil and Liz in Windsor, and they ask: what is the point of all this PCI stuff? It is just more red tape invented by bureaucrats with no understanding of business? Is it just a ticket to make money and create more unnecessary costs for the hotelier? They’re trying to put us out of business.”
TL: “PCI is all about keeping you as the merchant safe and your customers’ card data safe, so actually, it’s to make business easier for you. What you want when you take bookings is to ensure you’ve got that customer confidence. It’s about making sure that all your systems are up to date - the way you take payments and process them adheres to the PCI standard. It’s not law, but it’s a mandate of standards.
"It’s there to make sure Phil and Liz do things correctly and protect their business.”
MF: “So, the point about red tape and bureaucracy - is there any way you can avoid PCI compliance or get around it? If you’re a smaller business, can you think ‘well, I can probably get away with this for another year or so’?”
TL: “No is the short answer, but I’ll expand on that!
“Everybody has to be PCI compliant - it doesn’t matter if you take one transaction per year or multi-million transactions. However, the smaller you are, the easier it is for you, but it’s not something anyone can avoid - it’s there to be done.
However, there are ways you can de-scope your environment, which is when you outsource your payment processing to hosted payment pages from companies that are accredited and approved. If you just have one terminal, then becoming compliant is pretty simple.
There are different questionnaires - you chose the one that fits your business model, complete it online or in paper format and that completes the de-scope process.”
MF: “So it varies depending on the type of business that you are?”
TL: “Yes, and also the size of the business and how much your acquirer can do things to help you.”
MF: “But the message remains that you can’t avoid it and need to take action now if you haven’t already?”
TL: “Absolutely - and you also need to remember that this is an annual certification.”
MF: “If you’re a hotelier watching this webinar and you’re thinking ‘it’s clear I need to take action but I haven’t done anything yet’, what’s the first step? Where should you go?”
TL: “Speak to your acquirer firstly, because they will have plenty of information for you. Just pick up the phone and ask to speak to the PCI department. There’s lots of online information, too.”
MF: “Paul - the next question is from Ruth Evans. She asks ‘why can’t I just keep a book of customer card details in my safe?’”
PB: “Very good question - this is something we see from time to time. It seems like the sensible thing to do when you think about it - you’ve got the card details from the customers, so why not just stick them in the safe?
“It’s a massive risk - that’s the problem. It’s as big a risk as keeping bundles of cash around, to be honest. That’s one of the reasons we say - if you don’t need to store it, don’t store it.”
MF: “Is there any kind of halfway house?”
PB: “You can outsource the storage of this kind of data to some third parties, as Tracey says. Let the professionals do it.
MF: “There seems like quite a lot of processes and boxes I need to tick. I’m starting to wonder how much this is going to cost me. How costly is PCI?”
PB: “It shouldn’t be too onerous. There are some reasonably low cost solutions for securing data. You’ve got to weigh up the cost of doing it properly versus things going wrong. If there’s a data breach, and you’re trusted to maintain it, that’s a big problem - you’ll be held liable.
“There’s a formal process if a data compromise occurs. The card acquirers will get in touch and start a forensic investigation, and that can be very expensive (you’re mandated to do it, too). You could incur costs per card compromised and end up with an assessment penalty fee for data you’ve been managing incorrectly.
“If you get it wrong and you’re unfortunate enough to be a victim of this kind of crime, you’ll be in a position where you have to spend a lot of money to get yourself out of that hole.”
MF: “Connie - this question is from Kathrine at the Jura hotel. She says: in order to process no shows, we need to store the security code. We believe we do this securely, however it does prevent us from taking online bookings. How can we get around this?”
CP: “Ok, let’s get back to basics. In the hospitality industry, we’re allowed to process a no-show transaction, and for that you only need the PAN (16 digit number) and the expiry date. But, also remember that no-shows are an unusual event.
“If you want to process a no-show, you just put through the PAN and expiry date. When you take a booking, you don’t really need to store the data at all, because you can use third parties to process your data. We always say: if you don’t have it, you don’t have to protect it. That’s why it’s best to give that job to a third party and only keep a token in your organisation.
“You are contractually obliged to be PCI compliant, even if you outsource your data.”
MF: “From your experience, how big an issue do you think this is for the hospitality sector in terms of poor practice of confusion?”
CP: “There is a lot of confusion. If we go back to the booking process over the phone, they booker will give a PAN number and expiry to secure the booking, but the transaction is not processed at that time. In Welcome Anywhere, for instance, you can enter the card data and it goes out to PCI Booking which is a third party. They hold the data and just send the hotel a token.
“You only need the card information if the customer doesn’t turn up. But normally, the guest turns up, they book in and you get a fully-authenticated transaction where the guest hands their card over and it goes into the Chip and Pin machine.”
MF: “So that’s the chain of best practice people should follow. If anyone is still unsure about this, though, where might they go for advice?”
CP: “Always back to the acquirer. The contract is between the hotel and the acquirer - they give the best information.”
MF: “This next question is from Colin Woods. He asks: ‘If OTAs don’t process payments on our behalf then why is there not a responsibility on them to transmit all of the card details including the card verification number?”
PB: “In the hotel industry, there’s often several stages for a card transaction - it can pass between many third parties before being processed. There is a responsibility on all of them to perform proper, secure practices and they have to pass data on in the most secure way possible.
“It’s always worth asking third parties like this to see their PCI compliance certificate. We’ve talked a lot about outsourcing your PCI problem, but the one thing you can’t outsource is responsibility.”
MF: “How sure can you be that you’re always going to get the correct information and best advice from a third party or acquirer?”
PB: “It’s very important to look at third parties, and when you de-scope your PCI compliance, that’s the one thing you’re left with. The likes of Booking.com will take this seriously - they’ll have certification they can provide if you ask for it, and the one you’re looking for is an attestation of compliance (AoC). It’s a bit like an MOT certificate for PCI. You can sometimes find them online.”
MF: “Is there the equivalent of an ombudsman?”
PB: “The global body for it is the PCI Council, which is an organisation based in America and run globally for the benefit of everyone.”
MF: “Finally on this point - have any of you experienced circumstances where there has been a problematic outcome? Does it ever go wrong?”
TL: “I wouldn’t say it goes wrong, but we definitely get people who don’t want to release their AoC. But it’s vital it is shown when requested, because if they have nothing to hide, there’s no reason not to display it.”
CP: “I think we’ve established that you have to be PCI complaint if you accept cards, but what I often find is that organisations are storing data that they don’t actually need. So, go back to the principal - if you don’t need it, don’t store it. Ask yourself - do you really need that card data within your organisation?
“There are some bad habits - particularly in this industry.”
MF: “We’ve got a question from Natalie at the Black Boys Inn. If a customer damages or takes something out of the room, can I charge them?”
CP: “Technically, yes, but it’s not about the storage of the card data. Your contract when the customer comes to the premises will say they’re responsible for additional charges, but under the card regulations you’re supposed to write to that customer and explain something has been damaged, which you’ll be charging for.
“If a phone call is subsequently made, you’ll have the card holder on the phone and can therefore request the CVV number, the PAN and expiry date. Unfortunately, in practice many hotels do this without asking the customer.”
MF: “And what happens if they do that?”
CP: “The cardholder has the right to get onto their issuer and say they don’t approve the transaction, but the hotelier should be able to show the contract that states they’re allowed to charge in the event of damage or theft.
“Doing it by phone is best because this would be referred to as a card not present transaction, which can only be processed with the CVV number if you’re interacting with the cardholder.”
MF: “This question from Nick Green says: how do we meet PCI compliance while being able to take payments for no-shows?”
PB: “This seems to be the big issue in hospitality. The whole no-show process is much easier to carry out if the transaction is performed when the customer is on the telephone. If you’ve got the card data, the hotel rules and regs are generally there to enable you to charge for one night’s accommodation.
“Within systems like Welcome Anywhere, there is the methodology to retain the card data securely via a ‘tokenised’ system. The token can then be used by the hotelier in the event of a no-show to process that one night’s charge.”
TL: “The tokenisation system is a really good de-scoping method that we would definitely recommend. These things have been put there to make the process easier for hoteliers.”
CP: “There is some confusion that to process a no-show you need the PAN, security code and expiry date. Even before PCI there was a rule that stated you didn’t need the CVV2 for a no-show - that still exists - providing its held securely via tokenisation.”
MF: “This next question says: the PCI guidelines says sensitive data like the CVV2 cannot be stored after authorisation, in which case it presumably can be stored before authorisation. Is that correct?”
CP: “You don’t need the CVV2 to process a no-show transaction, so the answer is you don’t need it after the initial transaction.”
TL: “Storing the CVV2 is the biggest no-no in PCI - you simply cannot do it. It puts you at great risk.”
MF: “Do you think there’s a sense of ‘if I hold onto this stuff, no one’s going to find out’ in this industry?”
TL: “I think there is. We’re all human at the end of the day, and it’s human nature to hold onto things. But if you are unfortunate to be the victim of a data compromise, you’ll have no defence.”
MF: “There is so much in the news about the hospitality sector being hit by fraud. This is not an unusual issue, is it?”
CP: “No, it’s not unusual. Hackers target this industry because they can get much richer information - names, addresses, card details - everything.”
MF: “Presumably, if an end consumer does have their details hacked from a hotel or OTA, this unleashes a whole bag of problems legally and I’d imagine reputations can be damaged, too?”
CP: “It’s not just reputations - you’ll also be subject to the new General Data Protection Regulation (GDPR) that comes in place within the next 12 months for the UK.”
MF: “I’m glad you’ve mentioned that! The next question asks ‘if my business is PCI compliant, do I need to do any more to become GDPR compliant?”
PB: “The GDPR is an EU mandate for the protection of all EU citizen personal data. It relates to all personal data. The information commissioner’s office has already identified that card data is unique to individuals and is therefore a piece of personal data.
“The GDPR takes the same stance, but will include all other data, so if you store things like the guest’s passport number, you need to do so securely.”
MF: “Will Brexit affect this? Will these new regulations simply fall apart once we come out of the EU?”
CP: “Absolutely not. If you’re taking a booking from someone in Europe, you still have an obligation to protect their data under GDPR.”
MF: “The next question says: ‘I get called all the time by salesmen from other PMS companies trying to get me to change to their system. They say their system stores the security number so I’ll have no problem charging for no-shows. Are they right?”
CP: “The basic thing is you don’t need the security number for no-shows.”
MF: “This question from Louise says: ‘I charged a no-show for his 5 day stay but he got really aggressive and said I can only charge for the first night. Surely that’s rubbish?”
CP: “The rules state that you can charge a no-show for one night’s rack rate.”
MF: “Lastly, someone has asked: ‘Do I have to alter my terms and conditions and where they’re displayed to be able to charge for a no-show without a CVV2?”
CP: “If you want to be able to do a no-show, you have to make it clear at the point of booking that the cancellation policy states a one night fee will be charged if they don’t turn up.”
MF: “Before we finish, is there anything else you guys wanted to highlight about PCI?”
TL: “I’d just like to say - if in doubt, ask your acquirer.”
PB: “It’s important to note that cybercrime is on the up. This isn’t something we can ignore any more - hacking is a real thing.”
CP: “Remember: if you don’t need it - don’t keep it!”
MF: “Thank you Tracey, Connie and Paul.”
Download a comprehensive guide to handling card data and processing no-shows by clicking below:[/fusion_text][button link="http://welcome-anywhere.co.uk/wp-content/uploads/2017/05/Handling-card-data-in-hospitality.pdf" color="default" size="" type="" shape="" target="_blank" title="" gradient_colors="|" gradient_hover_colors="|" accent_color="" accent_hover_color="" bevel_color="" border_width="1px" shadow="" icon="" icon_position="left" icon_divider="no" modal="" animation_type="0" animation_direction="left" animation_speed="1" alignment="" class="" id=""]Download Guide[/button]