Is your hotel third party authorization form compliant with both Payment Card Industry Data Security Standards (PCI) compliance and card network acceptance rules? Beware solutions that are neither, risking an expensive data breach, lost reputation, and reduced profits. Due to significant rules changes in 2017, hotel management and hospitality advisors must adopt new technology solutions to comply.<\/p>\n\n\n\n
Shifting from a paper credit card authorization form to a digitally \nsigned cloud form often fails to meet intended goals to prevent fraud \nand increase security. For example, some digitally signed third party \ncredit card authorization form solutions authenticate the cardholder \nwith address and security code verification. Authorized merchant \nemployees access and decrypt the signed document, then key-enter the \ncardholder data into another system for subsequent authorizations. The \ndocument containing PAN and security code remains on file for some \nperiod of time.<\/p>\n\n\n\n
\n “This method is rife with compliance problems, leaving hotels \nunprotected from friendly fraud, ‘it wasn\u2019t me, I didn\u2019t authorize’ and \ndata breach risk”, per Christine Speedy, PCI Council QIR certified. \n<\/p><\/blockquote>\n\n\n\n
For instance, per PCI Compliance 3.2, the security code, must not be stored after authorization, even if encrypted<\/strong>.\n Whether the security code can be stored prior to authorization, PCI \nleaves up to card brands and acquirers. Per Visa Core rules, section \n5.4.3.1, merchants cannot even ask for the Card Verification Value 2 \n(CVV2) from the Cardholder on any written form. <\/p>\n\n\n\n
A series of card not present acceptance rules changes are driving an urgent need for hotels to update. These significant changes include the process to store cards, use stored cards, and obtain authorizations<\/strong>. All this means, whatever worked in the past is no longer valid today.\n In the digitally signed form example, there\u2019s no relation between the \ninitial cardholder authentication transaction and any future \nauthorizations. However, if done properly, the issuer would have \nreturned a response acknowledging the merchant notification that they\u2019d \ngotten permission to store the card; future authorizations would include\n that response.<\/p>\n\n\n\n
Hackers continue to target the hospitality industry and they’ve been \nquite successful. With 338 breaches in the 2018 Verizon Data Breach \nreport, the accommodation sector ranks in the top three of most \nincidents and breaches. InterContinental Hotels Group, Marriott \nInternational, Radisson Hotel Group, Hilton, and Hyatt have all had \nbreaches as have suppliers to the industry like Sabre Hospitality. If \nyou know you’re going to be attacked, why not eliminate employee access \nto cardholder data completely?<\/p>\n\n\n\n
How can hotels better protect against card not present credit card fraud?<\/strong> 3-D secure is a global protocol designed to be an additional security layer for online credit and debit card transactions. By\n combining a web-based authorization form with 3-D Secure cardholder \nauthentication, including Verified by Visa, fraud liability shifts to \nthe issuer<\/strong>, much like EMV chip shifts liability to the issuer. \nBy using a payment gateway to manage initial and subsequent \nauthorizations, with the capability to invoke 3-D secure, merchants\n mitigate chargeback risk and avoid the time consuming process of \nfighting to get their money back after they occur. As a bonus, some \nissuers support reduced interchange rates, the bulk of credit card \nprocessing fees, when 3-D Secure is invoked. No cardholder data is ever \nvisible to employees.<\/p>\n\n\n\n
With every part of the payment ecosystem needing to make changes- \ncard issuer, acquirer (merchant account processor), payment gateway- \nit\u2019s inevitable that there will be gaps in compliance. Non-compliance \nwith rules can result in fines, penalty fees, and removal from card \nacceptance. <\/p>\n\n\n\n
Key questions to ask when evaluating hotel third party credit card authorization solutions:<\/strong><\/p>\n\n\n\n
\u00b7 Is the security code ever stored?<\/p>\n\n\n\n
\u00b7 Is 3-D secure supported?<\/p>\n\n\n\n
\u00b7 Is it compliant with the Visa stored credential mandate, including unscheduled credential on file?<\/p>\n\n\n\n
\u00b7 After the initial authorization, are subsequent authorizations\n submitted with retail, MOTO (telephone order), or e-commerce \ntransaction type?<\/p>\n\n\n\n
\u00b7 Correct Answers: no, yes, yes, MOTO<\/p>\n\n\n\n
Keywords: #<\/em><\/strong>creditcardfraud #databreach #lodging #hotels #pcicompliance #creditcardauthorizationform<\/p>\n\n\n\n
Call <\/em><\/strong>Christine Speedy,<\/em><\/strong><\/a>\n PCI Council QIR certified, for PCI compliant web-based third party \nauthorization forms and other hotel payment technology to make your \nbusiness more profitable and secure. 954-942-0483, 9-5 ET.<\/em><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
Is your hotel third party authorization form compliant with both Payment Card Industry Data Security Standards (PCI) compliance and card network acceptance rules? Beware solutions that are neither, risking an expensive data breach, lost reputation, and reduced profits. Due to … Continue reading