Fraud can cause hoteliers serious problem. Tim Landsdale shares a few best practices now to keep your hotel as safe and secure as possible.
Every business knows that accepting card payments and reservations has the power to dramatically drive business growth. After all, offering customers more and easier ways to pay is vital. It helps to increase revenue, improve the user experience and simplify back-end processes for staff. But your business will only reap these rewards if you protect your customers’ card data as you’d expect others to protect yours.
This is even more important for businesses in the hotel industry which must handle unique payment requests not found in other sectors. A few key steps should put you on the right path towards minimising risk and protecting those all-important profits.
The Payment Card Industry Data Security Standard (PCI DSS) might sound onerous but it should be an essential part of your card security strategy. Created by the major card companies over ten years ago, it’s designed specifically to help businesses process, store and transmit card data more securely in order to reduce fraud. Now in its third version, PCI v3.0, it requires organisations comply with 12 high level requirements to strengthen their systems against a possible breach of card data.
Compliance is certainly not something that can be achieved over night: it will need an investment of time, money and resources to get there. But when you do, your business will be more secure when it comes to handling and storing card data, and you can benefit from reduced liability in the event you suffer a data breach.
Let’s just think about the repercussions for a moment. If hackers manage to infiltrate your computer network and steal sensitive card data, and you’re not PCI compliant, you could face a number of negative consequences. First there are the potential fines for non-compliance. Then there’s the cost of investigating, cleaning up and securing your computer systems properly. But more difficult to measure is the intangible damage to the reputation of your business. The hotel market is crowded and highly competitive; can you afford the negative headlines claiming customers staying with you had their card details stolen?
Your acquirer or payment provider will be able to help out with PCI compliance.
Paying in person or over the phone?
As a hotelier or B&B owner, your business is slightly different from the vast majority of those which seek PCI DSS compliance. This is because there are a number of payment requests that aren’t applicable to other types of business, such as reservations, cancellation refunds, and overbookings and post-check out charges. It’s also important to remember that the rules are different depending on whether a customer is standing in front of you, or is transacting over the phone or internet.
So what do you need to bear in mind? The key differences revolve around the Card Security Code (CSC) or Card Verification Value (CVV/CV2) – that three digit number on the signature stripe of most cards (or four digit number on the front of AmEx cards). It’s a deliberate fraud prevention tool, so it’s important you handle it correctly. Your card machines have been specially designed to ensure the CSC is not kept – so if a customer sends their card details by email, make sure that email is deleted securely. In fact, using email to receive card details is insecure. You should never write down card numbers or CSCs or ask for/accept photocopies of cards.
There are only two situations you need to request the CSC. The first is if the customer is not present – for example if you’re taking payment for a booking or deposit by phone. The second is if the customer is present but the card machine can’t properly read the card details. In that case, follow the on-screen prompts.
You will never need to take the CVV number for reservations, no-show transactions, cancellations, overbookings, corporate cards, and post-check out charges.
For regular reservations the card number, expiration date, name and billing address should be needed. If you’ve overbooked and must find alternative accommodation for your guest, all of this card data must be deleted. If a guest cancels and is due a refund, ensure that refund is made only to the card details originally given. Ditto, if there is a no-show, mark it as such and charge the original card the set amount as per your hotel’s booking policy.
This might seem like a lot to remember but card fraud is big business these days, so it pays to learn these few best practices now to keep your hotel or B&B as safe and secure as possible.
For more information, please visit http://www.worldpay.com/uk