While the internet has brought us online check-ins, Uber, 24/7 shopping and countless other ways to make our lives easier and achieve our goals faster, the convenience also means that we enter our financial and personal data countless times every week. This makes us vulnerable to online fraud and data theft. To ensure that our payment data is secure, regulators have developed a PCI compliance code of practice.
Complying to PCI requirements is vital for any tour and attraction operator who’s accepting credit card payments. This blog post will take you through the ins and outs of PCI compliance for tourism businesses.
Understanding PCI compliance requirements
PCI stands for ‘Payment Card Industry’ and is usually followed by DSS ‘Data Security Standards’. PCI compliance is monitored in part by the PCI Security Standard Council, a group started in 2006 to control the management of the Data Security Standards. It was formed by Visa, MasterCard, American Express, Discover and JCB (Japanese Credit Bureau). These companies also helped developed the standards, ensuring the greatest considerations of security and safety of online transactions.
To be considered PCI compliant, tour and attraction operators need to:
- Install and maintain a firewall to protect cardholder information
- Avoid use of vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software and systems
- Develop and maintain secure systems
- Restrict access to cardholder data on a need-to-know basis within the business
- Assign a unique ID to those who can access computers
- Restrict physical access to cardholder data
- Track and monitor all access to the network
- Test security systems on a regular basis
- Maintain a policy that addresses information security
Adhering to these standards is expected of all businesses in Australia. While this can seem like a hassle to businesses that are particularly small, or are just starting out, it is vital to ensure that your customer’s payment information is as secure and safe as possible.
Protect your tour business against the consequences of non-compliance
First things first, PCI compliance is legal requirement and you are therefore putting your business at risk of being financially penalised if you’re breaching the standards. Customers who suffered damages due to the breach in your security system are also well within their rights to take legal actions. Secondly, following the standards to the letter is the best way to protect your customers from fraud. What’s more, it will also protect your brand from potential damages as security breaches result in a definite loss of customers and will impact your business’ reputation in the long term.
Even though becoming PCI compliant may seem like an expensive and time-consuming hassle, failing to follow the Data Security Standards is almost guaranteed to be a greater hassle for your business.
On the other hand, being PCI compliant will instantly elevate your business’ online trustworthiness and reputation, increasing your direct online bookings. Banks and credit card companies will also see no issue trusting you.
Avoiding bad compliance practice
Compliance means following all of the 12 standards listed above, and failure to correctly follow one or another can result in bad compliance practices. A lot of the standards depend upon constant updates, reports and checks. A bad compliance practice would be treating PCI compliance as a roadblock, something that can be overcome with a small show of effort, rather than an ongoing process. Antivirus software must be updated, systems and policies within the business must be maintained, and continually enforced by leaders.
Another example of bad compliance is storing credit card details. Your online booking platform should not require details to be stored. Keeping payment details in writing is also considered non-compliant as records can easily fall into the wrong hands. Payment security is always the most effective when there is no record of the details.
Working with vendors who are not PCI compliant makes you immediately liable. Those who have a system that transmits credit card details without any encryption to payment gateways are not compliant and therefore open to security breaches, meaning hackers may be able to gain access to your information. Also, those that store credit card details are not compliant, and interacting with these businesses places your business at immediate risk. You can tell if a website has encryption security if it features a padlock icon in the address bar, or if its URL begins with ‘https’, rather than just ‘http’. However even with https, you still need to find out exactly how and where that data is stored. It is important to keep an eye out for these features in order to protect your business from the consequences of bad compliance.
How to check for PCI compliance?
You may work with a variety of vendors who claim PCI compliance. But like anything, these claims need to be checked before going ahead with any decisions.
Firstly, you can do a quick check on their website to see whether they list their credentials. However, don’t be fooled when you read text such as:
'Our servers are deployed to Amazon Web Services (AWS), which is a PCI DSS Level 1 compliant provider and provides a certified infrastructure for storing, processing, and transmitting credit card information'.
This means that Amazon Web Services (AWS) is PCI compliant where that vendor hosts their database, however the vendor themselves and their application itself is NOT PCI compliant.
You may also see:
Credit card information never passes through our servers (goes directly to payment gateway) and therefore is never stored by our servers.
While no credit card data is being stored on their servers, they are still transmitting credit card data through to the Payment Gateway therefore will fall under PCI compliance testing.
If you are not sure, ask for the vendor to send through a copy of their Certificate of Attestation. This certificate needs to be current and in the vendor’s business name (i.e. if you receive a copy of the certification in the name of Amazon Web Services, then this vendor is NOT compliant). Once you receive a copy of this certificate in the vendors name, then you can be assured that they are fully PCI compliant in all levels of their operations and safe for your business and your customers to use.
PCI compliance is an international standard that will protect your business from online threats related to transactions, such as fraud or identity theft. Following the PCI Data Security Standards ensures compliance for your business, will help you gain the trust of your customers and enhance your reputation as a safe and effective business.
Looking for a payment gateway that will enable you to process online bookings safely and securely? Download our Payment Gateway Comparison matrix today.Booking Boss is an online booking system for tour operators and attraction providers. Trusted by many in the tourism industry, Booking Boss is about getting you out of the spreadsheets and into the sun. We provide free education resources for operators like you, to make your business the best it can possibly be.