What you need to know about PCI compliance

The deadline for businesses to meet PCI (Payment Card Industry) compliance was July 1, 2010.  Because the PCI compliance requirement is very important to RezStream, we have updated our information so that you can be better informed about what this compliance means to your business.  With the release of RezStream Professional 2010.8, our software now contains fully compliant PCI features.  In the coming weeks, RezStream will be sending more information to our customers about this important software update.

The credit card industry has developed security standards for the storage and processing of cardholder credit card information.  These standards are REQUIRED of anyone who stores or processes credit card information.  The standard is called the Payment Card Industry (PCI) Data Security Standard (DSS).  These security requirements apply to all members, merchants, and service providers that store, process or transmit cardholder data as of July 1, 2010. 

Simply stated: any business that stores or processes credit cards is required to become PCI compliant.  It is easier for hospitality businesses to become PCI compliant, but you should be diligently working on getting your business practices compliant as soon as possible.

Why you should be concerned about PCI compliance.

Credit card companies are requiring compliance with PCI standards for every entity that is involved in the storage, processing, or transmission of credit card information.  Failure to comply can result in denial or revocation of your organization’s ability to process credit cards.  Furthermore, as these standards have become widely recognized, non-compliance places your organization at risk of legal and/or civil consequences if credit card information you use or store becomes compromised.  Compliance with PCI standards is necessary whether or not you use RezStream Professional 2010.8 or newer to process transactions “online.”  Even if you use a point of sale (POS) terminal or other methods to process transactions, and simply retain information in RezStream Professional 2010.8 or newer, you must be concerned about proper use of the PCI program to maintain security and confidentiality of customer data.

Features of RezStream Professional 2010.8 and newer that follow PCI compliant security measures:

  • RezStream requires 7-10 digit “strong passwords” for program access and credit card number access.
  • RezStream does not store swiped data from any credit card.
  • RezStream uses 256-bit strong encryption of all credit card numbers.
  • RezStream uses SSL (secure socket layer) and strong encryption when transferring credit card numbers from the RezStream Booking Engine.
  • RezStream does not store security codes, or transfer security codes, to any RezStream product.
  • RezStream does not display full card numbers anywhere within our software program.
  • Full credit card numbers cannot be viewed in our software without entering a user name and password.
  • RezStream logs all credit card access activity and history.
  • RezStream provides a mechanism to purge stored numbers individually and globally.
  • RezStream has detailed documentation  for each of its credit card processing gateways that includes full PCI compliance information.

How do hospitality businesses  become PCI compliant?

You should begin by contacting your merchant account provider regarding PCI compliance.  Most merchant account providers have PCI compliance programs and can help you navigate through the process.  In addition, when you sign up for RezStream’s credit card processing account with Payment Processing Inc. (RezStream's preferred credit card merchant account provider), you may also enter into the PCI compliance program with PPI.  The cost is $300 per year and entitles you to 24/7 technical help with becoming PCI compliant.  This service also allows access to online scan services, all questionnaires, and any other assistance you need in becoming PCI certified.  Please call RezStream toll-free at 866-360-8210 for more information.

Here’s a partial PCI compliance “TO DO” list to get you started:

  • Use a validated software program and validated credit card gateway.
  • Enroll in the PCI compliance program with your merchant account provider
  • Make sure to process all credit card payments on computers designated for business use only.
  • You must maintain a basic fire wall installation application.
  • Do not use default Windows passwords such as “password” to log into any computer.
  • You must have anti-virus software installed on all computers and set them to always scan.
  • If you use a wireless network, you must also ensure that it is secure and encrypted.

Conclusion:
All businesses that store or process credit card data must go through the PCI program, self test, submit to third party on-site testing (if required), and apply to be granted a PCI record of compliance.  Remember: the deadline for all businesses to be PCI compliant was July 1 2010!  It should be noted that it is simply not enough to “do everything that Visa and Master Card require” to be PCI compliant.  You must also get PCI certified.  While obtaining PCI compliance may not seem too glamorous a procedure, it should become a HIGH priority on your list as it deals with hackers and identity thieves who would like nothing more than to steal a few thousand of your customers’ credit card numbers, and other private information, for their own personal gain.gain.

If you need more information about PCI compliance, please call RezStream at 866.360.8210 or visit: www.pcisecuritystandards.org.