Ensuring Credit Card Security via PCI Compliance:
What Hotels Need to Know|
September 13, 2006 - In modern times, it seems that most people are concerned about credit card security – an issue that has come to the forefront in today’s world of paperless financial transactions. The credit card industry has responded to these concerns by requiring businesses to achieve PCI compliance – in other words, compliance with a new, universal security standard. The fact is, skillful hackers can access an individual’s personal information via the Internet and use it to damage an individual’s credit, financial standing, and more. According to one recent study, the total fraud amount in 2006 was approximately $56.6 billion, and the mean fraud amount per fraud victim rose in the same year to $6,383 - significant costs for the significant problem of credit card security. The majority of businesses today, whether primarily based online or off, use computers to conduct financial transactions, and it is imperative that credit card security be a top consideration. In response to growing concerns, the major credit card companies have taken steps to protect consumers by requiring merchants to fulfill a list of requirements and become certified. Those in the hotel industry must be aware of the requirements for PCI compliance or face high fines and consumer distrust. The History of PCI Compliance and Certification In 2001, Visa created a program known as the CISP (Cardholder Information Security Program) that was meant to heighten credit card security with merchants using the Visa brand. In 2005, this credit card security program was expanded and embraced by all major credit card companies, including MasterCard, Discover, and American Express, as well as Visa. The standard became known as the Payment Card Industry (PCI) Data Security Standard. Merchants were required to achieve PCI compliance by June 2005 or else face considerable fines in the event of a security breach. However, even one full year after the deadline, not all merchants have been properly certified. Merchant Categories PCI compliance is required for all merchants that process credit card transactions, including hotels. Merchants are further broken down into four categories: 1. Merchants with more than 6,000,000 transactions per year, or merchants who have experienced security breaches. 2. Merchants with 150,000 to 6,000,000 transactions per year. 3. Merchants with 20,000 to 150,000 transactions per year. 4. Merchants with less than 20,000 transactions per year The problem arises when merchants are not aware of the need for PCI compliance and therefore do not become certified. For example, hotels that exist on the campuses of universities are considered to be a part of those universities. As a result, such hotels are looked at as having a large number of yearly transactions when combined with those of the universities, even if the hotels themselves do not fit one of the higher merchant categories on their own. These hotels may have previously dismissed the need for PCI compliance, but they are now being reviewed closely and may be facing large fines for the oversight, particularly if they have had issues with credit card security in the past. In the next few years, medium- and large-sized hotel chains are going to find that they too are being scrutinized for the measures they have taken to ensure credit card security, and that any vendors with which they are involved also need to be certified. This process is not simple and it is not inexpensive, but it is absolutely critical. Fines may be levied on the hotel, and consumers may not trust a hotel chain that is not PCI certified. In addition, if a security breach does happen and the hotel has not achieved PCI compliance, the hotel will face even larger fines. PCI Certification – An Overview In order to achieve PCI compliance, there are six major goals that a merchant is required to meet. Within each...