PCI Compliance – Why spas, hotels and resorts can no longer ignore it!

Years ago, a merchant’s crime threats were limited to an armed delinquent or a shoplifter. Today you can add the cyber thief to that list. This thief is looking for a more profitable payoff, your customer’s/guest’s payment card information. He or she is much more savvy and capable of doing more harm to your business than just emptying your hotel’s front desk float or spa’s cash register. This breed of thief can cost you thousands of dollars, your reputation, and the ability to accept payment cards.

Since January 2005 more than 245 million databases containing sensitive and personal information have been involved in security breaches in the US alone (PrivacyRights.org). In 2007, the number of attacks on payment card processing doubled from 2006, a trend that we don’t see diminishing. According to Visa Inc., 80% of all identified compromises occurred at Level 4Merchants’ – businesses that process less than 1 million payment card transactions each year. And if you thought the hotel, resort, spa, or hospitality industries were at all exempt from that, think again. Upwards of 55% of credit card fraud comes from the hospitality industry (The PCI Compliance Process for Hotels, American Hotel & Lodging Association).

The Payment Industry’s Response

In 2006, the major credit card companies joined together to form The Payment Card Industry Data Security Standard (PCI DSS or PCI). PCI was established to eliminate the risk and mistreatment of cardholder data, enhance payment account data security, and ultimately protect the cardholder. In 2007, the PCI compliance grace period ended and became mandatory.

The Implications of PCI Non-Compliance

All business operations accepting credit and debit cards must adopt processes to protect sensitive customer payment information and have no choice but to comply with PCI. Non-compliance puts the operation at great risk, leaving the business and its customers/guests vulnerable. Operations face fines of up to $500,000, increased card processing fees (or worse), the loss of the ability to accept payment cards, bad publicity, and brand devaluation. The consequences are serious, from monetary to business-ceasing.

Hospitality Industry’s Responsibility

Unfortunately, spa, leisure, hotel, and resort operations are lagging behind other industries. The clock is ticking and the hospitality industry needs to embrace the requirements set forth to comply with PCI. At the core of this situation is the abundance of legacy software systems still being used in spas, hotels, and resorts.  Although the responsibility to comply with PCI isn’t all about technology, software undoubtedly plays a large role. Most of the archaic systems used don’t have the ability to properly encrypt and secure sensitive cardholder information or to properly relay encrypted information to your selected credit card processor.  And because of software architecture limitations in these systems, they cannot ever be updated to meet PCI standards. Your software could be hindering you from compliance and putting your operation, customers, and guests at great risk.

What Spas, Hotels, Resorts and Leisure Operations Need to Do

PCI compliance is the responsibility of the merchant, the hotel, the spa, not the software vendors – the onus is on you – you need to make it your business to find out whether your software system(s) meet or are at least undergoing the process necessary to meet PA DSS (Payment Application Data Security Standard – the certification for software developers [if you are using a custom application, then you are also responsible for making the application meet the PCI DSS requirements]). All applications must be PA-DSS compliant by July 1, 2010 (Visa Inc.) A listing of certified applications can be found on Visa’s website. However, there are some simple things you can do to quickly evaluate whether your software is meeting even the most fundamental PA DSS (formerly called PABP) criteria.

  • Are users automatically logged off after a maximum of 10 – 15 minutes (max) of inactivity?
  • Is all cardholder data in folios, receipts, and reports masked with maximum of 4 – 6 digits appearing?
  • Is cardholder data masked or encrypted within the database?
  • Is track data or card verification codes encrypted within the database?

PCI compliance is a serious business matter that should be approached at the top of your organization. Business processes and guidelines concerning the delicate handling of sensitive customer data and information should be put into place and should be incorporated into your corporate culture. Your software vendors should be engaged to help you understand how and where sensitive data is stored, processed, transmitted, and eliminated.

If your current solution is not compliant, you should begin investigating alternative solutions as soon as possible. Make sure that your new solution(s) provider is well versed in the world of PCI and how it will impact your business. They obviously need to be compliant or should be well down the path to being compliant; otherwise, don’t even consider them as a potential software partner.

For more information on where to begin your PCI compliance, visit the PCI website https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml or, call your credit card processor, which is always a great place to start.

PCI compliance may seem overwhelming at first, with all those acronyms and technical jargon. However, once you engage the right partners and familiarize yourself with the tools and processes, you will be better for it and the benefits will outweigh the work and resources invested. Protect your customer’s/guest’s sensitive data and in turn, protect your operation. You can no longer afford to sit idle. PCI compliance is your responsibility!


This document is provided for information purposes only and the contents hereof are subject to change without notice.  This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions or merchantability or fitness for a particular purpose.  We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document.  This document may be freely copied and distributed provided that it is not modified in any way and is distributed only in its entirety.

Share This