Is your hotel third party authorization form compliant with both Payment Card Industry Data Security Standards (PCI) compliance and card network acceptance rules? Beware solutions that are neither, risking an expensive data breach, lost reputation, and reduced profits. Due to significant rules changes in 2017, hotel management and hospitality advisors must adopt new technology solutions to comply.
Shifting from a paper credit card authorization form to a digitally signed cloud form often fails to meet intended goals to prevent fraud and increase security. For example, some digitally signed third party credit card authorization form solutions authenticate the cardholder with address and security code verification. Authorized merchant employees access and decrypt the signed document, then key-enter the cardholder data into another system for subsequent authorizations. The document containing PAN and security code remains on file for some period of time.
“This method is rife with compliance problems, leaving hotels unprotected from friendly fraud, ‘it wasn’t me, I didn’t authorize’ and data breach risk”, per Christine Speedy, PCI Council QIR certified.
For instance, per PCI Compliance 3.2, the security code, must not be stored after authorization, even if encrypted. Whether the security code can be stored prior to authorization, PCI leaves up to card brands and acquirers. Per Visa Core rules, section 18.104.22.168, merchants cannot even ask for the Card Verification Value 2 (CVV2) from the Cardholder on any written form.
A series of card not present acceptance rules changes are driving an urgent need for hotels to update. These significant changes include the process to store cards, use stored cards, and obtain authorizations. All this means, whatever worked in the past is no longer valid today. In the digitally signed form example, there’s no relation between the initial cardholder authentication transaction and any future authorizations. However, if done properly, the issuer would have returned a response acknowledging the merchant notification that they’d gotten permission to store the card; future authorizations would include that response.
Hackers continue to target the hospitality industry and they’ve been quite successful. With 338 breaches in the 2018 Verizon Data Breach report, the accommodation sector ranks in the top three of most incidents and breaches. InterContinental Hotels Group, Marriott International, Radisson Hotel Group, Hilton, and Hyatt have all had breaches as have suppliers to the industry like Sabre Hospitality. If you know you’re going to be attacked, why not eliminate employee access to cardholder data completely?
How can hotels better protect against card not present credit card fraud? 3-D secure is a global protocol designed to be an additional security layer for online credit and debit card transactions. By combining a web-based authorization form with 3-D Secure cardholder authentication, including Verified by Visa, fraud liability shifts to the issuer, much like EMV chip shifts liability to the issuer. By using a payment gateway to manage initial and subsequent authorizations, with the capability to invoke 3-D secure, merchants mitigate chargeback risk and avoid the time consuming process of fighting to get their money back after they occur. As a bonus, some issuers support reduced interchange rates, the bulk of credit card processing fees, when 3-D Secure is invoked. No cardholder data is ever visible to employees.
With every part of the payment ecosystem needing to make changes- card issuer, acquirer (merchant account processor), payment gateway- it’s inevitable that there will be gaps in compliance. Non-compliance with rules can result in fines, penalty fees, and removal from card acceptance.
Key questions to ask when evaluating hotel third party credit card authorization solutions:
· Is the security code ever stored?
· Is 3-D secure supported?
· Is it compliant with the Visa stored credential mandate, including unscheduled credential on file?
· After the initial authorization, are subsequent authorizations submitted with retail, MOTO (telephone order), or e-commerce transaction type?
· Correct Answers: no, yes, yes, MOTO
Keywords: #creditcardfraud #databreach #lodging #hotels #pcicompliance #creditcardauthorizationform
Call Christine Speedy, PCI Council QIR certified, for PCI compliant web-based third party authorization forms and other hotel payment technology to make your business more profitable and secure. 954-942-0483, 9-5 ET.