Leisure Industry Can't Ignore PCI Compliance

Lora Bentley

Compliance with the PCI Data Security Standard has been expected of merchants that accept payment cards and process payment card transactions for years now, but as is true with any compliance requirement, there are segments that tend to lag behind the rest in their efforts. Small public companies, for example, have had a reprieve when it comes to full Sarbanes-Oxley section 404 compliance.


In a recent post in Hotel News Resource, ResortSuite founder and CEO Frank Pitsikalis reminds those in the leisure industry that accept payment cards -- particularly spas, hotels and resorts -- that they are not exempt from PCI compliance requirements. He points out that more than 55 percent of credit card fraud comes from the hospitality industry, and then he says:

The clock is ticking and the hospitality industry needs to embrace the requirements set forth to comply with PCI. At the core of this situation is the abundance of legacy software systems still being used in spas, hotels and resorts.

He explains that much legacy software doesn't have encryption capabilities and other functionality needed for PCI compliance, and that the burden is on the spa, resort or hotel to determine if the software it uses enables PCI compliance. Pitsikalis urges them to be sure their software systems are PCI certified. He points them to the PCI-DSS Web page and advises them to contact their credit card processors for more information.


Now, Pitsikalis makes a good point: Legacy software systems likely are not equipped to enable the leisure organizations to maintain PCI compliance, and the fact that more than half of credit card fraud occurs in the hospitality industry does seem to indicate that something needs to change. But a simple change in software is not going to make the problem go away. IT Business Edge blogger Carl Weinschenk has written before that PCI compliance alone doesn't mean an organization is secure.


It is, however, a good place to start.

Add Comment      Leave a comment on this blog post
Oct 7, 2009 3:37 AM Stephen Toomey Stephen Toomey  says:

I work for PrehKeyTec.  We are a manufacturer of programmable keyboards, many which have an integrated MSR reader.  We have the ability to encrypt the MSR read in the keyboard before it is exposed to computer memory.  We also have the ability to encrypt manually entered data allowing encryption of card not present transactions.  If properly implemented the keyboard can allow a merchant to become "Out of Scope" when it comes to PCI Compliance.  We are currently working with a number of software developers, gateways and processors for implementing this technology.  Feel free to contact me if you want more information feel free to contct me.

Oct 15, 2009 2:15 AM Geoffrey Geoffrey  says:

We are consultants and brokers who specialize in the restaurant and hospitality business. We talk to owners regarding portable credit card machines. These machines are fully encrypted and meet PCI Standards.

If the customer swipes their own card, there is no opportunity for employee theft. The customer has the security of knowing their card and transaction is secure as it happens right in front of them.

We encourage owners to seperate credit card transactions from software applications.  The extra step might cause some owners a little bit of inconvenience. The downside is all it takes is just one stolen credit card traced back to the owners business to cause thousands of dollars in fines and fees. Not to mention, this would put most small to mid size companies out of business.

Oct 16, 2009 8:03 AM Brian Eberhardy Brian Eberhardy  says:

Public companies in the leisure industry need to be held to the same standard and evaluation criteria as others within the same merchant level as defined by the PCI-DSS.  So, why is it more difficult for this industry to embrace PCI?  While the leisure industry may have a higher rate of turnover than others, they should not be given a break for that sake alone.  All industries have their challenges and security is often the last IT item to be considered.  It's overhead; let's face it. 

To affirm what Carl Weinschenk was perhaps hinting at with his blog reference to PCI-DSS compliance, being secure is not about implementing the latest and greatest technology.  Being secure and complying with a standard like PCI-DSS is about 3 things: People, Process, and Technology.  Employees need to be trained in information security as part of an organized and consistent security awareness program.  Technology solutions need to be implemented to handle credit card transactions securely.  Right-sized processes need to be put in place to ensure that technology is used in a consistent, secure fashion and to document the controls put in place to enable cardholder data safety.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.