PCI Compliance for Tour and Activity Providers – What It Is and Why It Is Important
Posted on January 16, 2011 | No Comments
Stephen Joyce asked:
PCI Compliance stands for “Payment Card Industry” Compliance which are a set of security standards development by the credit card brands (Visa and Mastercard) to protect customer credit card data. You have probably heard in the past about system being hacked and credit cards numbers being stolen by cyber thieves. The PCI Data Security Standards were developed in order to ensure that merchants complied with certain security requirements or else face stiff penalties should something happen.
PCI Compliance is of extreme interest to the travel and tourism industry because, unlike most other industries, there is a time between the booking and the delivery of the service where the credit card needs to be stored in order to process the booking once the service is delivered or shortly before. This however is not allowed in a PCI Compliant environment and as such, you may be at risk of being fined should someone get a hold of your customer’s credit card data. The important thing to remember here, is that the standards don’t just apply to your website but also your business in general. Storing credit card numbers on paper in an unlock filing cabinet is just as a big a no-no as storing them on your reservation system.
Depending on the number of transaction you expect to do, your merchant level will differ and your requirements for compliance will change. In general though, there are two parts to the compliance process:
PCI Compliance Scans: This involves having a PCI Approved scanning vendor (like Trustguard or SecurityMetrics for example) run regular vulnerability scans on your server or website to ensure that it meets minimum requirements. If you are using a third part booking engine, then you should include them in the scan as well. Report on Compliance: This is a report that you submit to your merchant processor (or acquirer) that states your compliance with the standards. The report is a set of pre-formatted yes or no questions that you answer and submit (generally on-line). If you should fail any of the compliance questions, you will need to adjust your policies to ensure that you can correct the failure and re-submit the report.
Unless you are doing more than 6,000,000 transactions per year, then both the scan and the report can be completed through an on-line service provider like TrustGuard or Security Metrics. If you do more than 6,000,000 transactions then you will require a QSA (Qualified Security Analyst) to do an on-site audit of both your facilities and your server hosting environment. Needless to say, this level of compliance is very expensive.
In general, in order to be compliant, you need to:
Ensure your website is properly secured. Protect cardholder information by encrypting it and NOT storing it after processing. Have up to date anti-virus on all your computers. Make sure everyone in your business has their own administrative account to your reservation system. Make sure credit card information is only made accessible on a need to know basis. Make sure your administration system has proper activity and security logging. Regularly test your security systems to make sure they are working and compliant. Maintain a security policy that addresses your security.
In reality, a security policy is simply a document that outlines what you do and why when it comes to security. In the event of a security issue, your policy would provide guidance to you.
Kansieo.com
PCI Compliance stands for “Payment Card Industry” Compliance which are a set of security standards development by the credit card brands (Visa and Mastercard) to protect customer credit card data. You have probably heard in the past about system being hacked and credit cards numbers being stolen by cyber thieves. The PCI Data Security Standards were developed in order to ensure that merchants complied with certain security requirements or else face stiff penalties should something happen.
PCI Compliance is of extreme interest to the travel and tourism industry because, unlike most other industries, there is a time between the booking and the delivery of the service where the credit card needs to be stored in order to process the booking once the service is delivered or shortly before. This however is not allowed in a PCI Compliant environment and as such, you may be at risk of being fined should someone get a hold of your customer’s credit card data. The important thing to remember here, is that the standards don’t just apply to your website but also your business in general. Storing credit card numbers on paper in an unlock filing cabinet is just as a big a no-no as storing them on your reservation system.
Depending on the number of transaction you expect to do, your merchant level will differ and your requirements for compliance will change. In general though, there are two parts to the compliance process:
PCI Compliance Scans: This involves having a PCI Approved scanning vendor (like Trustguard or SecurityMetrics for example) run regular vulnerability scans on your server or website to ensure that it meets minimum requirements. If you are using a third part booking engine, then you should include them in the scan as well. Report on Compliance: This is a report that you submit to your merchant processor (or acquirer) that states your compliance with the standards. The report is a set of pre-formatted yes or no questions that you answer and submit (generally on-line). If you should fail any of the compliance questions, you will need to adjust your policies to ensure that you can correct the failure and re-submit the report.
Unless you are doing more than 6,000,000 transactions per year, then both the scan and the report can be completed through an on-line service provider like TrustGuard or Security Metrics. If you do more than 6,000,000 transactions then you will require a QSA (Qualified Security Analyst) to do an on-site audit of both your facilities and your server hosting environment. Needless to say, this level of compliance is very expensive.
In general, in order to be compliant, you need to:
Ensure your website is properly secured. Protect cardholder information by encrypting it and NOT storing it after processing. Have up to date anti-virus on all your computers. Make sure everyone in your business has their own administrative account to your reservation system. Make sure credit card information is only made accessible on a need to know basis. Make sure your administration system has proper activity and security logging. Regularly test your security systems to make sure they are working and compliant. Maintain a security policy that addresses your security.
In reality, a security policy is simply a document that outlines what you do and why when it comes to security. In the event of a security issue, your policy would provide guidance to you.
Kansieo.com