Compliance with the PCI Data Security Standard has been expected of merchants that accept payment cards and process payment card transactions for years now, but as is true with any compliance requirement, there are segments that tend to lag behind the rest in their efforts. Small public companies, for example, have had a reprieve when it comes to full Sarbanes-Oxley section 404 compliance.
In a recent post in Hotel News Resource, ResortSuite founder and CEO Frank Pitsikalis reminds those in the leisure industry that accept payment cards -- particularly spas, hotels and resorts -- that they are not exempt from PCI compliance requirements. He points out that more than 55 percent of credit card fraud comes from the hospitality industry, and then he says:
The clock is ticking and the hospitality industry needs to embrace the requirements set forth to comply with PCI. At the core of this situation is the abundance of legacy software systems still being used in spas, hotels and resorts.
He explains that much legacy software doesn't have encryption capabilities and other functionality needed for PCI compliance, and that the burden is on the spa, resort or hotel to determine if the software it uses enables PCI compliance. Pitsikalis urges them to be sure their software systems are PCI certified. He points them to the PCI-DSS Web page and advises them to contact their credit card processors for more information.
Now, Pitsikalis makes a good point: Legacy software systems likely are not equipped to enable the leisure organizations to maintain PCI compliance, and the fact that more than half of credit card fraud occurs in the hospitality industry does seem to indicate that something needs to change. But a simple change in software is not going to make the problem go away. IT Business Edge blogger Carl Weinschenk has written before that PCI compliance alone doesn't mean an organization is secure.
It is, however, a good place to start.