Is your hotel third party authorization form compliant with both Payment Card Industry Data Security Standards (PCI) compliance and card network acceptance rules? Beware solutions that are neither, risking an expensive data breach, lost reputation, and reduced profits. Due to significant rules changes in 2017, hotel management and hospitality advisors must adopt new technology solutions to comply.
Shifting from a paper credit card authorization form to a digitally
signed cloud form often fails to meet intended goals to prevent fraud
and increase security. For example, some digitally signed third party
credit card authorization form solutions authenticate the cardholder
with address and security code verification. Authorized merchant
employees access and decrypt the signed document, then key-enter the
cardholder data into another system for subsequent authorizations. The
document containing PAN and security code remains on file for some
period of time.
“This method is rife with compliance problems, leaving hotels
unprotected from friendly fraud, ‘it wasn’t me, I didn’t authorize’ and
data breach risk”, per Christine Speedy, PCI Council QIR certified.
For instance, per PCI Compliance 3.2, the security code, must not be stored after authorization, even if encrypted.
Whether the security code can be stored prior to authorization, PCI
leaves up to card brands and acquirers. Per Visa Core rules, section
22.214.171.124, merchants cannot even ask for the Card Verification Value 2
(CVV2) from the Cardholder on any written form.
A series of card not present acceptance rules changes are driving an urgent need for hotels to update. These significant changes include the process to store cards, use stored cards, and obtain authorizations. All this means, whatever worked in the past is no longer valid today.
In the digitally signed form example, there’s no relation between the
initial cardholder authentication transaction and any future
authorizations. However, if done properly, the issuer would have
returned a response acknowledging the merchant notification that they’d
gotten permission to store the card; future authorizations would include
Hackers continue to target the hospitality industry and they’ve been
quite successful. With 338 breaches in the 2018 Verizon Data Breach
report, the accommodation sector ranks in the top three of most
incidents and breaches. InterContinental Hotels Group, Marriott
International, Radisson Hotel Group, Hilton, and Hyatt have all had
breaches as have suppliers to the industry like Sabre Hospitality. If
you know you’re going to be attacked, why not eliminate employee access
to cardholder data completely?
How can hotels better protect against card not present credit card fraud? 3-D secure is a global protocol designed to be an additional security layer for online credit and debit card transactions. By
combining a web-based authorization form with 3-D Secure cardholder
authentication, including Verified by Visa, fraud liability shifts to
the issuer, much like EMV chip shifts liability to the issuer.
By using a payment gateway to manage initial and subsequent
authorizations, with the capability to invoke 3-D secure, merchants
mitigate chargeback risk and avoid the time consuming process of
fighting to get their money back after they occur. As a bonus, some
issuers support reduced interchange rates, the bulk of credit card
processing fees, when 3-D Secure is invoked. No cardholder data is ever
visible to employees.
With every part of the payment ecosystem needing to make changes-
card issuer, acquirer (merchant account processor), payment gateway-
it’s inevitable that there will be gaps in compliance. Non-compliance
with rules can result in fines, penalty fees, and removal from card
Key questions to ask when evaluating hotel third party credit card authorization solutions:
· Is the security code ever stored?
· Is 3-D secure supported?
· Is it compliant with the Visa stored credential mandate, including unscheduled credential on file?
· After the initial authorization, are subsequent authorizations
submitted with retail, MOTO (telephone order), or e-commerce
· Correct Answers: no, yes, yes, MOTO
Keywords: #creditcardfraud #databreach #lodging #hotels #pcicompliance #creditcardauthorizationform
Call Christine Speedy,
PCI Council QIR certified, for PCI compliant web-based third party
authorization forms and other hotel payment technology to make your
business more profitable and secure. 954-942-0483, 9-5 ET.