If you haven’t heard of PCI Compliance yet, you will soon. The Payment Card Industry (PCI) has formed a Data Security Standard that requires any organization that accepts, acquires, transmits, processes, or stores data containing payment card information to guard the privacy of that information.
Before the end of the year, you will need to complete an online Self-Assessment Questionnaire (SAQ) to become certified to handle the credit card data. Failure to comply will cause you to lose the ability to take credit cards. This is a serious matter.
What You Need to Know
The PCI Data Security Standard, commonly referred to as “PCI,” includes multiple checkpoint areas including physical security management of your facility, policies on when and how you process cards, and procedures such as how the data is handled once the charge has been processed. It also includes how your computer network is set up both in-house and for any outside access allowed. If you are using reservations software that processes the credit card during the reservation process, the software itself must be secure from hackers. The last components include monitoring the status of your network for viruses and testing your system through outside hack attempts in what is known as a penetration test. Your credit card processor can provide a link to test your vulnerability.
The Whole Number
One of the basic requirements of compliance is to protect the credit card number from ever being displayed as a whole number. Only the last four or five digits should be visible after a transaction. You are NEVER allowed to handwrite a whole credit card number on any document. Likewise, no document that is printed including credit card receipts, trip tickets, confirmations or any other document may contain the whole number.
Who Sees It?
The fewer people who see the whole credit card number and have access to the full number by computer look-up, the better. The only person in your organization who needs the whole number is the person reconciling credit card transactions to bank deposits. Even in that case, the data only should be accessed in a discrepancy. This person should be the same person who handles credit card disputes to minimize the number of people with access.
Firm policies should be in place on the handling of the credit card. While verification of identity to match the credit card should be a top priority, PCI Compliance is intended to protect data breaches, not identity theft. Although, stolen credit card information may result in identity theft. Once a credit card is entered into reservations software and processed, from that point on the credit card number displayed to the employee should only contain the last four or five digits and not be accessible to the employee ever again.
This is probably the most challenging concern for merchants. Most of us lack the computer knowledge to know if our network is completely secure or even how credit card numbers are stored on a network server. If you have the ability to create a new reservation for a client and his credit card data is automatically transferred to a new reservation, you are storing the number in your office computer. These transactions are processed through the Internet meaning your computer is connected to the Internet and vulnerable to attack.