Help Centre

Understanding PCI Compliance for Attractions and Tour Operators

Posted by The Embed Team on 09-Oct-2018 08:48:15
The Embed Team

PCI Compliance and the Travel Industry

Would you believe us if we told you PCI compliance can elevate your business’ online trustworthiness and grow your direct bookings?

Though it sounds boring, there is truth to it! Hear us out...

As a tour operator or attraction, you are likely to be selling tickets for your product online. In order to process online payments, your customer will need to enter their credit card details and other relevant personal data. While this is necessary for convenience and to create a sale, it may make the buyer vulnerable to online fraud and data theft. In response to data theft, regulators have developed a PCI compliance code of practice. PCI (Payment Card Industry) compliance should be an important component of your company's online payment system. Some companies refuse business with other vendors if they do not have PCI compliance (mainly government agencies, banks and credit card issuers) as there is an issue with trust.

Understanding PCI Compliance

Created in 2006, the PCI Security Standard Council was established to monitor the data security standards. The group comprises of the major credit card issuers who developed standards to ensure the greatest measure of security has been thought of for the protection of the customer. It is in the best interests of Visa, MasterCard, American Express, Discover and JCB to protect users, as victims of fraud immediately turn to their banks for assistance (and the website they encountered the issue.)

Here are all the many many many many many steps to PCI Compliance:

PCI compliance vertical

That's a lot of steps right?

While these steps may seem tedious, take a moment to consider yourself as a customer with a business that has not taken all of these precautions. You want to avoid being the facilitator of credit card fraud, as your customers will remember your company as the one where their details were stolen from. Your reputation will be negatively impacted and is likely contribute to fewer customers. Though the thing to remember here is that you as a business need to work with vendors that have gone through this process. This will cover you for the most part, however there are some internal processes that you should review.

What does non-compliance look like?

Do you take a booking over the phone and write the credit card number down of a piece of paper? This is non compliance. The customer doesn't know what you do with the piece of paper - it could be lost and not destroyed properly or filed.

Does your online booking system store credit card details in another database for you to access at a later stage? This procedure is not PCI compliant due to the fact that you can still access credit card details of past clients in the days/months/years after that client has travelled. 

You can see the picture here right? If you can access credit card information at any time, then it is not considered PCI Compliant.


Simple Steps to ensure your business is compliant 

First things first- review your internal processes and highlight any gaps that you may have. Some of the more common gaps found are:

Taking bookings over the phone that require payment.

You have two options here:

1. Take payment once the client arrives and process the payment with them present

2. Many accounting systems allow for you to invoice directly from these with a link connected into your account/gateway for customers to enter their own credit card information and make payment. While you will need to allocate the payment to booking manually, it means that you are all covered.

3. If you want to go to the next level, you can now even use a PCI DSS compliant service provider that can route the caller during the payment process, where the customer can enter their credit card information securely, and once completed, the call will route back to you. This further reduces your cardholder data environment (CDE), risk, and ability to meet PCI requirements.

Taking online booking payments

Make sure you research your payment gateway providers thoroughly , especially if you are an attraction or tour that is highly reliant on the weather. There are payment gateways that can pre-authorise the card, however not process the payment until authorised by you (similar to like at hotels when they pre-authorise your card at check in). That way, if the tour goes ahead, then the payment is taken. If the tour does not go ahead and the customer requests a refund, then the funds are simply released back to the card.

Make sure your Ticketing and Booking Management software is fully compliant. This isn't just in the database they have built the system in (such as Amazon Web Services - who are PCI Compliant), but ensuring the application itself is compliant. You can read more about this here. If you are unsure, simply ask them to provide a current Attestation Certificate as proof (this is only provided to businesses who have successfully gone through the compliance process and testing in the complicated image above). In 2018 there still are businesses out there transmitting credit card details without any encryption to payment gateways, meaning hackers have no trouble to access sensitive data, so this is very important for you to review.

Are there consequences of non-compliance?

So, here's the issue. In Australia, PCI Compliance is not a legislative requirement for your business.  In the US, while it's not a required by Federal law, it can be required by some states. However, should your company suffer a data breach, you may be financially penalised, and you may also face legal action from customers who suffered from faults in your security system. So regardless of this, still a very important process to review.

And what is the best way to avoid data breaches and online fraud? ... PCI Compliance! 
It is truly in your best interests to engage with PCI Compliance for your business; it protects your customers, helps direct bookings, can grow your reputation, shows commitment to best practice and makes you a preferable partner for other businesses. 

While following PCI compliance may seem like a hassle, it's not as hard as you think and once reviewed and processes put in place, you can rest assured that you have taken all the necessary steps to cover your customers and your business.

Final thoughts

Don’t forget that PCI Compliance is an international standard and it has been developed to protect the cardholder and also your business. Listing your PCI Compliance shows your commitment to online safety and efforts against fraud. It can help you gain trust and develop your reputation as a responsible and effective business.

Are you looking for a payment gateway that will help your business process online bookings safely and securely? Read our blog on Understanding How Payment Gateways Work to get an idea of what is appropriate for your tour operator business or attraction.


Topics: Blog, Business Development/Admin, Online Booking System, How to

Like what you read?

Subscribe to receive weekly updates straight in your inbox!

Subscribe to Email Updates

Recent Posts