Ensuring Credit Card Security via PCI Compliance: 
What Hotels Need to Know
September 13, 2006 - In modern times, it seems that most people are concerned about credit card security – an issue that has come to the forefront in today’s world of paperless financial transactions. The credit card industry has responded to these concerns by requiring businesses to achieve PCI compliance – in other words, compliance with a new, universal security standard. 

The fact is, skillful hackers can access an individual’s personal information via the Internet and use it to damage an individual’s credit, financial standing, and more. According to one recent study, the total fraud amount in 2006 was approximately $56.6 billion, and the mean fraud amount per fraud victim rose in the same year to $6,383  - significant costs for the significant problem of credit card security.

The majority of businesses today, whether primarily based online or off, use computers to conduct financial transactions, and it is imperative that credit card security be a top consideration. In response to growing concerns, the major credit card companies have taken steps to protect consumers by requiring merchants to fulfill a list of requirements and become certified. Those in the hotel industry must be aware of the requirements for PCI compliance or face high fines and consumer distrust.

The History of PCI Compliance and Certification

In 2001, Visa created a program known as the CISP (Cardholder Information Security Program) that was meant to heighten credit card security with merchants using the Visa brand. In 2005, this credit card security program was expanded and embraced by all major credit card companies, including MasterCard, Discover, and American Express, as well as Visa. The standard became known as the Payment Card Industry (PCI) Data Security Standard. Merchants were required to achieve PCI compliance by June 2005 or else face considerable fines in the event of a security breach. However, even one full year after the deadline, not all merchants have been properly certified.

Merchant Categories

PCI compliance is required for all merchants that process credit card transactions, including hotels. Merchants are further broken down into four categories:

1.  Merchants with more than 6,000,000 transactions per year, or merchants who have experienced security breaches. 
2.  Merchants with 150,000 to 6,000,000 transactions per year. 
3.  Merchants with 20,000 to 150,000 transactions per year. 
4.  Merchants with less than 20,000 transactions per year  
The problem arises when merchants are not aware of the need for PCI compliance and therefore do not become certified. For example, hotels that exist on the campuses of universities are considered to be a part of those universities. As a result, such hotels are looked at as having a large number of yearly transactions when combined with those of the universities, even if the hotels themselves do not fit one of the higher merchant categories on their own. These hotels may have previously dismissed the need for PCI compliance, but they are now being reviewed closely and may be facing large fines for the oversight, particularly if they have had issues with credit card security in the past.

In the next few years, medium- and large-sized hotel chains are going to find that they too are being scrutinized for the measures they have taken to ensure credit card security, and that any vendors with which they are involved also need to be certified. This process is not simple and it is not inexpensive, but it is absolutely critical. Fines may be levied on the hotel, and consumers may not trust a hotel chain that is not PCI certified. In addition, if a security breach does happen and the hotel has not achieved PCI compliance, the hotel will face even larger fines. 

PCI Certification – An Overview

In order to achieve PCI compliance, there are six major goals that a merchant is required to meet. Within each broad goal are a wide array of additional rules and regulations that merchants must fulfill to ensure credit card security. Below is a brief overview of each of the goals and how they affect the hotel industry. 

1. Build and Maintain a Secure Network

All merchants, including hotels, are required to install and maintain a firewall within their computer systems to maintain credit card security and to protect sensitive information from being accessible by those outside of the system. In addition, merchants seeking PCI compliance must not use vendor-supplied defaults or system passwords, which are not secure because they are easily guessed by outside parties. New passwords must be assigned to all systems and must be kept secure.

2. Protect Cardholder Data

Merchants must protect credit card security by encrypting the transmission of data across public networks. This would include, for example, the card information of a guest making a reservation online or checking in at the front desk. Any property management system used by the hotel must be secure as well.

3. Maintain a Vulnerability Management Program

Merchants must use and regularly update antivirus software and must develop and maintain secure systems and applications. This step is crucial to ensuring credit card security and must be followed not only by the hotel itself but by any vendors of software used by the hotel, such as the vendor of a property management system. Hotels should ask each and every vendor if it will be going through or if it has completed the process for PCI compliance. Hotels should also determine if the vendor is taking care of PCI compliance using internal resources or if an outside consultant has been appointed to handle the process. If the vendor has appointed a consultant, the hotel should insist that it is one approved by the credit card industry.

4. Implement Strong Access Control Measures 

To ensure credit card security, the hotel must restrict data only to those who need to know the information. In addition, the hotel must assign a unique ID to each person with computer access for tracking purposes. And finally, the hotel must be sure to restrict physical access to cardholder data. 

5. Regularly Monitor and Test Networks

The hotel must test and monitor access to network resources and cardholder data. Security systems and processes must also regularly be tested to guarantee credit card security. 

6. Maintain a Good Security Policy 

Merchants are required to have a documented process so that if there is an unfortunate breach in credit card security, there is a structured procedure to follow in order to address that breach.

In addition to the above six goals for PCI compliance, there are further validation requirements that must be met. The details vary by credit card company, but, in general, an on-site visit, questionnaire, and network scan are required. The aforementioned merchant categories determine how often merchants must be validated and to what degree.


The process by which a hotel must achieve PCI compliance is complex and ongoing. However, it is also of great importance as credit card security continues to be a concern for everyone. Hotels that avoid certification will almost surely face large fines and will lose consumer confidence, particularly if a security breach occurs at any time. All hotels should perform their due diligence and review the PCI compliance guidelines in depth to ensure that they are fully compliant.

About the Author

Andrew Sanders is director of sales and marketing for RedSky IT, based in New Jersey.  He was previously manager of international business at RedSky IT (formerly Ramesys) in the UK prior to its acquisition of MCorp: a US-based hospitality technology business.  He commenced his career in hotel software with McDonnell Douglas in the UK (later to be known as MDIS/Northgate IS) before which he graduated in computer science from the University of Plymouth, UK.

For more information, contact Andrew Sanders at 908 941 1274 or andrew.sanders@redskyit.com.


Sean Carvin
Marketing Coordinator
RedSky IT
Tel: 908 941 1300 x243
Fax: 908 941 1312
E-mail: sean.carvin@redskyit.com
Web: www.redskyit.com/us

Also See RedSky IT Reveals How to Increase Sales and Gain Greater Customer Satisfaction at Hostec-Eurhotec / February 2006
RedSky IT Creates Buzz with Optimistic Start to 2006 / January 2006
Ramesys Holdings to Integrate and Re-brand as RedSky IT / December 2005
40,000 Anticipated Visitors to IH/M&RS, NYC Nov 13-15 Hotels get to Sample the Best the Industry has to Offer - including Centralized PMS from Ramesys Hospitality / November 2005
Aimbridge Hospitality, Demands Quick Installation and Maximum Flexibility, Chooses Ramesys’ Entirety PMS / November 2005
See Ramesys’ New DASHBOARD View of Property Performance that puts Hospitality Executives back in the Driver’s Seat / September 2005
Good Nite Inns Streamlines Management of 13 property Hotel Chain with Ramesys’ Centrally Hosted, Multi-property Entirety Solution / September 2005
Yes, Hotels Can Make Money and Sustain Growth! / September 2005
Ramesys Dominates as the leader of Web Based Property Management Systems (PMS) and Brings Latest Enterprise Offerings to HITEC / June 2005
Caring for Customers and Getting to be #1: Ramesys Reinvents its Approach and Notices Dramatic Results / June 2005
Hotel Operators Must Make Difficult Choices to Exploit their Most Profitable Asset: How They Get the Best Return on their Known Customers / June 2005
Hosted Server PMS Solution Gaining Ground Reports Ramesys / June 2005
Kx Brings University of Kent and Canterbury (UK) into the 21st Century / May 2005
Hi-Tech Hotel Installs Latest Entirety PMS from Ramesys / May 2005
Royal Holloway Reaps Huge Financial Benefits with Kx / May 2005
The Historic Sebasco Harbor Resort, One of Maine's Most Charming Oceanfront Resorts, Selects the Entirety PMS from Ramesys / May 2005
Caring for Customers and Getting to be #1: Ramesys Reinvents its Approach and Measures Dramatic Results / April 2005
Ramesys Announces the Distribution and Implementation of the Kinetics Conference Center and Venue Solution in the US / April 2005
Do You Know Where Your Business Is Coming From? / April 2005
Ramesys Scores a Grand Slam with Country House Inns / March 2005
Hosted Server PMS Solution Gaining Ground Reports Ramesys / February 2005
Entirety from Ramesys Provides a New Outlook at the Best Western The Inn at Towamencin / January 2005

To search Hotel Online data base of News and Trends Go to Hotel.Online Search

Home | Welcome! | Hospitality News | Classifieds | Catalogs & Pricing | Viewpoint Forum | Ideas/Trends
Please contact Hotel.Onlinewith your comments and suggestions.