PCI Compliance: What You Need to Know to Protect Yourself and Your Customers
Customers now expect the ability to pay using a major card regardless of the retailer or industry. This is especially true within hospitality because travel, entertainment, celebratory events and business functions commonly bring patrons to a hospitality business.
Accepting credit cards supports your hospitality businesses sale and revenue potential, but it also increases the chances that your business could fall victim to a security or data breach. You may not be able to eliminate this threat entirely, but the security standards you have in place to protect sensitive data indicate whether or not your business will be impacted by a breach.
The Payment Card Industry Security Standards Council (PCI SSC) developed PCI compliance standards to protect businesses that process credit cards, and handle sensitive information as a result. This article from BluePay explains the basics of PCI compliance, why the standards exist to protect hospitality businesses and customers, and how you adapt your current processes to be PCI compliant.
PCI Compliance: What It Entails — And Why
The specific PCI standards that apply to your hospitality business depends on the volume of credit card transactions you process, and the channels in which you accept and process card payments. Because cybercriminals frequently change how they attempt to gain access to information, PCI compliance standards evolve to stay ahead of the latest breach tactics. In 2017, for example, the PCI SSC issued new standards to better protect digital commerce and mobile transactions. By the end of June 2018, hospitality businesses that work with online and e-commerce partners are expected to have disabled SSL/early TLS in exchange for TLS 1.1 or higher in order to remain compliant with the PCI Data Security Standard (PCI DSS) best practices for keeping payment data secure. SSL/early TLS is a cryptographic protocol used to establish a secure communications channel between two systems to protect the confidentiality of the information passed between them.
PCI Compliance and Credit Card Processors
When your business relies on a credit card processor that guarantees PCI compliance, you have the peace of mind that sensitive payment information is protected during transaction processing; payment processors that guarantee PCI compliance use a number of security methods, including encryption and tokenization technology, to safeguard data. (They also update these processes to reflect current PCI compliance standards.)
Even so, business leaders should understand that transaction processing is just one aspect of PCI compliance. The breadth and scope of PCI compliance addresses best practices at the point of sale, for record keeping, and advises how to manage point-of-sale devices, software, networks, internal systems and passwords. Data thieves and cybercriminals are adept at seizing opportunities to exploit vulnerabilities of a business. It takes only one employee’s decision to open a business email containing malware, or to process a payment transaction on an unsecure network, to expose your entire business to a breach.
The Costly Consequences of Non-Compliance
The legal implications of a breach and the fines, fees or lawsuits your hospitality business could be subject to if a breach occurs depends on the nature of the breach itself, and laws that apply to the area in which you do business. You may not be legally required to be PCI compliant, but your business could suffer serious consequences if a breach occurs and an audit reveals that you didn’t follow the proper measures for handling sensitive data. For example, a business that processes credit card transactions but isn’t PCI compliant could be fined by both credit card issuers and financial institutions, and sued by customers and other parties who suffer damages as a result of the breach. The impacts could be so devastating that your business never recovers from the event.
Assessing Your Adherence to PCI Compliance
The PCI Security Standards Council (PCI SSC) publishes the latest versions of PCI compliance standards on its website to help businesses remain aware of upcoming changes, and determine what processes are currently PCI compliant and where vulnerabilities may exist. If your IT team doesn’t have specific knowledge about PCI compliance, you can hire third-party vendors that work with your IT team to conduct quarterly PCI compliance audits, and scan for external and internal vulnerabilities. The PCI SSC provides a list of Qualified Security Assessors who conduct on-site PCI compliance audits for businesses.
PCI compliance is becoming increasingly important for businesses of all sizes, but particularly in the hospitality industry where credit card payments are common. The more you familiarize yourself with what PCI compliance entails, the better prepared your team is to proactively protect against the threat of a security or data breach.