What is PCI DSS?
PCI DSS is short for the Payment Card Industry Data Security Standard. Opposed to GDPR, the PCI DSS is not a law, but a standard defined and maintained by an independent entity created by major payment card brands. Whenever you want to accept credit cards from brands like VISA and MasterCard, you are required to be compliant with this security standard. The PCI DSS can be seen as a collection of best practices or rules on how to treat the sensible payment card data entrusted to you by your guests in order to prevent data breach and fraud.
Do I have to be compliant?
Whenever you make a contract with a payment service provider to process credit cards on-premises or online, you will have to demonstrate your compliance. Depending on the payment provider or the acquiring bank you have either to fill out a self-questionnaire or might even have to conduct an on-site audit with a Qualified Security Assessor (QSA).
What can happen if I am not compliant with PCI DSS?
If payment card data entrusted to you is leaked and misused the payment brands will penalize the acquiring bank. Those fines might be passed to you as a merchant if you are found to be non-compliant. They can be somewhere between 5,000 EUR and 100,000 EUR for every month you are non-compliant, and, in the worst case, you might lose the right to accept payment cards from the major payment card brands. In addition, you could face legal issues and a damaged of your reputation. So, best is to see the rules from the PCI DSS as a guide that helps you to secure your business.
PCI compliance with apaleo
apaleo is a service provider for our customers and processes payment on their behalf. It is therefore very important for us to ensure that we are compliant with PCI DSS. We conduct on-site audits every year to prove compliance with PCI DSS. Our QSA Adsigo inspects the technical implementation to identify any potential risks how sensitive cardholder data can be leaked and also checks our security policies and processes. If compliance can be validated we receive an attestation of compliance (AOC), which customers can download here. With this AOC and the acknowledgment of responsibility from the contract you have with apaleo, hoteliers can easily fulfill the requirement 12.8 from the PCI DSS on service provider management.
apaleo allows you to run your business in compliance with PCI DSS, but there are still things you need to take care of. Full details on which requirements you need to fulfill can be found on the official website of the PCI Security Standards Council.
E-Commerce and Mail Order / Telephone Order (MoTo)
In case you accept cards on your website and other online channels like booking.com, or you accept credit cards for mail and telephone orders, then the PCI requirements will be related to restricting user access to cardholder data, ensuring compliance of your service providers and maintaining an incident response plan at max. This also depends on your bank or payment service provider.
Card-present with modern IP based card terminals
If you also process payment cards on-premises using a modern IP based terminal connected to the payment service provider through the internet you will be exposed to additional requirements. Most banks or payment service providers will only obligate you to this high standard if you are processing a high volume of terminal transactions though. Adyen currently only does it if you process more than 1mio transactions.
If so, then you will have to clearly separate the network of the IP terminals from the other networks in your hotel and have firewall rules in place that ensure the terminals can only communicate with the payment service provider through securely encrypted connections. All systems connected to the network of the IP terminals will belong to the so-called card data environment (CDE). Only authorized persons should have access to those systems, which also implies heavier policies and documentation efforts to you. On top of that you will have to run a quarterly external vulnerability scan.