PCI and PSD2 Compliance: Why Are Hotels on the Hook?

By Hotel Tech Report

Last updated May 16, 2022

4 min read

image description

Maybe you’ve heard about one of the many recent data hacks at businesses around the world. Or maybe one of these hacks affected you personally. In the last few years, hotels and hospitality companies (such as Sabre, Marriott, and Omni Hotels) have been hit by a seemingly never-ending barrage of security breaches that result in the theft of personal information, credit card numbers, and other sensitive data.

These days, cyber security and regulatory compliance aren’t just necessary skills for the IT team. Every hotel manager - even the “non-tech savvy” ones - must understand these crucial components of data protection in order to protect their businesses. In this article, we’ll explain PCI and PSD2 compliance and describe actionable steps you can take today with systems like SHR Windsurfer Booking Engine to protect your hotel business from online threats.

What is PCI compliance?

Established in 2006, PCI stands for the Payment Card Industry Data Security Standard, which contains guidelines for accepting, storing, and processing credit card information. An organization is PCI compliant when it follows these regulations. PCI was put in place to protect consumers’ sensitive data, and, as a result, every merchant that uses credit card information must follow these rules, from small businesses to large corporations.

Examples of these guidelines include using an online checkout/payment page controlled by a licensed 3rd-party service provider, storing credit card data via a 3rd-party “vault” provider rather than in your own system, and masking the full credit card number on receipts, showing only the last 4 digits instead.

What does PCI compliance mean for your hotel business?

In an industry that processes billions of dollars in transactions per day, it makes sense that hotels would be attractive targets for hackers. Furthermore, a typical hotel uses several different payment and management systems which many employees can access, which can heighten the likelihood of a breach. No hotelier wants to suffer the loss of money and trust that comes with a cyber attack.

For these reasons, it’s crucial that every hotelier maintain PCI compliance not only at the front desk, but in all of the systems that access or use guest data. A few rules of thumb include using PCI-compliant POS and PMS providers, storing both digital and paper data securely, and limiting access to sensitive data to only the employees who truly need it. PCI compliance training is readily available online, and many hoteliers require new employees to take a PCI compliance course before handling guest payment information. Taking the time to adhere to the PCI guidelines now can prevent costly security breaches later.

“The attack on Marriott was hapless and still has many gaps to fill on what actually happened. A popular entry point for adversaries is through email spoofing. This tactic is used in phishing in order to get malware onto a target network to then move laterally across all systems,” Ryan Cornateanu, Application Security Engineer @ CrowdStrike.

The Next Evolution of PCI: What is PSD2?

As more and more transactions occur online, and as payment technology evolves, the PCI-DSS regulations outlined in 2006 needed some updating. In September 2019 the Payment Services Directive 2 (PSD2) went into effect and applies any businesses who could potentially engage with European customers. Even businesses with little international business should still comply, since regulations like these are often mirrored in the United States and other countries soon after.

Here at Hotel Tech Report we use Stripe to process payments and even with this top tier provider, we had to reinvent our entire payments infrastructure to comply with this regulation and some of its intricacies around payment authentication.

PSD2 includes enhanced guidelines for online payments and the handling of sensitive data to reduce the risk of credit theft, fraud, and security breaches. One major change is the requirement of Strong Customer Authentication (SCA) for online transactions. With SCA, rather than simply typing in a credit card number and clicking “pay,” consumers will need to provide a second layer of authentication, which could be a PIN code or an SMS verification code, before the payment can go through.

What does PSD2 mean for your hotel business?

Guests book nearly three-quarters of hotel reservations online, so PSD2 will likely impact every hotelier as Strong Customer Authentication (SCA) becomes a requirement for payment processing. Hoteliers should ask the following questions to determine if changes are necessary:

  • Does my hotel’s website have a payment system that allows for SCA, such as text message verification codes or biometric data (like Face ID on an iPhone)?

  • Do the OTAs I work with require SCA when accepting payment from guests?

  • Does my hotel receive virtual credit card numbers from OTAs? If so, virtual credit cards cannot satisfy the SCA requirement, so OTA payouts may need to switch to bank transfers.

  • Does the front desk staff or night auditor process payments sometime between booking and arrival? For example, if 50% of the reservation payment is due at the time of booking and the remaining 50% is due 7 days before arrival. Guests can complete SCA when they make the reservation, but not for charges initiated by the hotel at a different time.

  • Are any charges processed after the guest has checked out, such as minibar chargers? To prevent any hiccups with payment after check-out, charge an authorization on the guest’s card for the full incidental amount and have the guest provide two-factor authentication in person, such as chip-and-pin, when the guest checks in.

The key takeaway here is that transactions initiated by the hotel at a time when the guest isn’t present won’t comply with PSD2 requirements. Guests must be able to complete a two-factor verification step for each payment, such as when they book the reservation or when they check out, so hoteliers may need to modify their payment processes if payments occur outside of these times. In the midst of all these changes, there is a silver lining: because of increased payment security, the amount of chargebacks will likely become much lower, which is something all hoteliers can celebrate.

How to safeguard your hotel against potential breaches

For many hoteliers, complying with these new regulations may sound daunting. In addition, although guest data will be more secure with SCA, the payment process does become more cumbersome, which could lead to a decrease in conversion while guests get used to the extra step.  How can you maintain guest satisfaction while ensuring top-notch data security?

Most hotels do not have large IT teams, on-site cyber security experts, or massive budgets to spend on data security. However, none of this is necessary to maintain a secure environment for your hotel’s sensitive data. One of the best ways to prevent potential cyber threats is to partner with a technology system with expertise in PCI and PSD2 compliance.

Partner with great tech companies for knowledge sharing and compliance

Great tech companies will act as your compliance partners and have built their platforms in compliance with local and global regulations to take some of the burden off of hoteliers.  Siteminder's Booking Button booking engine, for example, is fully SCA compliant and seamlessly integrates multi-factor authentication in a way that does not disrupt the guest experience. Siteminder's Payments system meets SCA standards so you can rest assured that payments will be handled without a glitch. Siteminder's team is also well-versed in data security strategies, so they can be valuable resources for hoteliers in this time of transition.

Siteminder doesn’t only meet data security guidelines today from a software perspective, but their teams are constantly working toward better and more secure technology. Through continuous innovation, their system is “future proof” and will evolve as additional security measures are available.

By partnering with a trusted technology solution and investing in PCI and PSD2 compliance now, hoteliers can prevent the potential catastrophe that could come with the theft of sensitive data. Your hotel provides great guest service, but you want to ensure hackers and cyber criminals know they’re not welcome at your property.