As a hotelier, you’ve all received warnings from PCI consulting firms, PCI Auditors, QSAs, ASVs, credit card acquirers and even the press: hotels must become PCI compliant or else!
Any industry – and ours in particular – has an obligation to safeguard the privacy of payment card information, yet a full-fledged PCI audit can be costly and time-consuming. But there’s good news on the horizon, especially when considering new advances in tokenization and cloud-based software.
Keep in mind the definition of PCI, in particular, PCI DSS. PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data.
So what if the hotel doesn’t process, store or transmit cardholder data? PCI compliancy should not technically be required. With a combination of cloud-based PMS and tokenization, hotels can achieve this goal.
But what is tokenization? If someone enters a credit card number as part of a hotel reservation, for example, the PMS will not store the number but instead send the credit card number – encrypted of course – to an external tokenization service. The tokenization service returns an ID (the token) which the PMS stores. The tokenization services are themselves connected to authorization and payment services. So if the PMS wants to authorize or charge to the credit card, it sends the token back to the tokenization service along with instructions, such as the amount to charge.
Based on the above example, it might appear that the PMS application is responsible for transmitting the credit card number. But that’s not necessarily true. The credit card number field – along with expiration date field and security code field – do not physically need to be in the PMS. It might look like this information is in the PMS but it is really on a different server in a different application. As an Internet consumer, you may have experienced this when you pay with PayPal, for example. You never give the vendor your PayPal information. You give it to PayPal directly and PayPal gives the vendor a token.
So let’s look at the key definition of PCI compliancy again: process, store or transmit cardholder data. In the scenario described above, the credit card numbers are neither processed in the PMS, nor stored in the PMS, nor transmitted to or from the PMS. If the PMS and the tokenization service are all in the cloud, then the hotel might be exempt from PCI compliancy. In fact, the PMS company might be exempt as well. At most, PCI auditors should ensure that the PMS is handling tokenization correctly, but this is far from a fully-fledged PCI audit. The tokenization service provider is, of course, not exempt from PCI compliancy, but most tokenization providers have already achieved compliancy anyway.
So if you have a cloud-based PMS with tokenization, your PCI compliancy process could be quite straight-forward. And if you don’t yet have a cloud-based PMS that supports tokenization, selecting one just might be your fastest ticket to full compliancy.