We’ve gotten a ton of inquiries after the Reuters article about booking a B&B and getting a computer virus. We’ve contacted them, and so have a lot of innkeepers, to express our distaste on them singling out the B&B industry when it really is applicable to many many small businesses.
Unfortunately, I don't feel the old phrase “there’s no such thing as bad publicity” applies here. But if nothing else, this is yet another wakeup call on credit card security. It seems a lot of innkeepers are feeling blindsided by all the credit card security talk out there. PCI security has been around for a number of years now, but it has never been easy to figure out – whether you are an innkeeper or even a company like BedandBreakfast.com. We started doing daily McAfee scans almost three years ago, back when they were called HackerSafe, but the landscape has changed a lot since then. We are by no means experts on it, but we feel we have a decent understanding. For those who wish to really get the details and make sure they are hearing this directly from the experts, you should read a publication put together in part by the AHLA – this is the most thorough guide we’ve seen yet and truly a great example of how lodging is leading the charge. Hats off to the authors for their painstaking effort on this – it is a very well-written document.
I’ll try to explain how I understand this, hopefully getting it correct...
Right now, every provider of PMS software or services, from what we can tell, is considered to be a Level 2 "Service Provider", and/or a "Payment Application". You are a Service Provider if you grab or store credit card data in any way, and you are a Payment Application if you transmit that data electronically in any way for the actual authorizing or payment from a credit card.
So from looking at the Spring 2009 issue of PAII’s Innkeeping Quarterly: 2009 Technology Guide for Innkeepers, companies like: Availability Online, NetBookings, and TCS would fall under only the PCI Level 2 Service Provider standards since none of them provide any integrated credit card payment gateway (according to the guide). Most everyone else - RezOvation, Webervations, Booking Center, Resnexus, SuperINN, RezStream, etc. - would fall under both the Payment Card Industry Data Security Standard (PCI DSS) AND the Payment Application Data Security Standard (PA-DSS) since they also transmit the credit card data.
The good news is that PA-DSS is crystal clear. You must have a 3rd party external audit to be compliant. As of last October, no company without a PA-DSS certification was supposed to take on any new customers that use credit cards in any way. As of July 2010, no customer, period, can use an application like these without having passed a third-party audit. Currently RezOvation GT is the only product that we are aware of that has successfully passed a full level one PA-DSS audit - although I’m sure other companies are in the process since it is an absolutely firm requirement. Companies that pass will be listed on the PCI website, which is updated roughly every month. If a company is not shown there, then they are not certified or were just recently certified. By July of 2010, all processors will be prohibited from working with merchants unless they show up on the list.
The PCI DSS for "Service Providers" also has to be met – but this one is a little fuzzier. Since basically all vendors selling software products & services in the B&B industry are categorized as a Level 2 Service Provider (fewer than 300,000 transactions/yr), it means that basically everyone can do a self-assessment and claim they are PCI certified. A Level 1 provider (greater than 300,000 transaction/yr) must have an external audit. You can imagine how reliable a self-assessment is - and it can be private so you would never know what it says - just that the company says they passed it. So unfortunately there really is no way to know if a company is compliant or not unless they go through an external audit. The scans from companies like McAfee are not enough. And it may not even matter – because banks are already starting to ONLY allow credit card information to be collected/saved/transmitted by companies that go through a Level 1 external audit. So pretty much everyone is going to have to do what is necessary of the big sites - a full external security audit. We were actually already informed by People's Bank that they are going to start enforcing this - now.
What does this mean? Well for starters - there are no level 1 PCI compliant products in the market that we know of - not us, not SuperINN, Resnexus, Availability Online, no one. The only product we know to have undergone an external audit is RezOvation GT - and that just recently passed. This is good news for innkeepers though – as it is going to provide an enormous incentive for everyone to be externally audited – allowing innkeepers to rest more easily. We have already begun the process of going through an external audit for the other pieces of our business, and we’ve already started making changes to Webervations to comply. We’ve generally kept RezOvation and BedandBreakfast.com up to par with Level 1 standards, but will be making any and all necessary changes that the auditors find as well. We expect that other companies will start going through this too at some point as they really have no choice. For the industry as a whole – this will be great news. Hopefully the next article we see in Reuters will talk about how the B&B industry and providers like RezOvation and Webervations led the charge to put industrial-grade security practices in place for small merchants!
My advice to innkeepers... Unfortunately we are aware of some widely used products in our industry that say they are compliant but are not. For instance - one company posts its own self-audit online - and the audit shows they failed in a number of areas. So anyone using this system knows they are using a non-PCI-DSS/non-PA-DSS compliant product, that hasn't passed a self-audit. Another stores full credit card and CVV data, which is expressly against the PCI compliance rules. Another doesn't encrypt anything at all and stores all the info including CVV right on your desktop in an Access 2.0 database from the 1990s. A lot of companies think the quarterly HackerSafe seal is enough to be compliant. That is not correct. If you are innkeeper using a system that you know stores things like CVV or that failed a PCI audit - then you could be held liable in the event of a security breach. The unfortunate part is that PCI insurance is null and void if you are using non-compliant software.
I would highly recommend that when you are looking for a software platform or booking engine/availability calendar, find a provider that has passed an external PCI/PA-DSS audit so you don't wake up one day and hear that the bank is no longer going to allow you to process credit cards, or worse - that you are liable for a security breach because you used software that was not compliant.
We'll try to keep you guys up-to-speed on things relating to this as they develop.