If you accept or process payment cards, PCI DSS applies to you.

Many business owners struggle to wrap their heads around Payment Card Industry (PCI) security compliance. What is it? Why do I need to be compliant? What happens if I’m not?   

In this article, we’ll talk about why PCI compliance is important to your business and how RMS PAY helps you achieve it.  

In this article:

• What is PCI compliance?
• PCI in Australia
• What is PCI designed to do?
• Why you need to meet PCI DSS standards
• How to meet PCI DSS standards
• What happens if you don't meet PCI DSS standards

What is PCI compliance?

You might hear us use the term ‘PCI compliance’, which stems from the technical and operational requirements set by the Payment Card Industry Security Standards Council. The council’s founding members who set the standards are none less than AMEX, JCB, Discover, Mastercard and VISA, and some of the standards they’ve designed for you - the merchant - are called Data Security Standards (DSS). “If you accept or process payment cards, PCI DSS applies to you”, as stated in their reference guide, and it is the global standard for all merchants.  

PCI in Australia

In Australia, AusPayNet is an active contributor to financial standards set by the International Organisation for Standardisation (ISO) and is an affiliate member and contributor of the PCI. The Reserve Bank of Australia (RBA) released a set of expectations for merchants in which they must meet the minimum security requirements compliant with the Payment Card Industry Data Security Standard (PCI DSS) for transactions that tokenise and store card payments (i.e. online payments, terminal payments).  

What is PCI designed to do?

The Data Security Standards are designed to protect individuals against data breaches and consequential credit card fraud. It’s not 100% foolproof, but it’s a best practice the payment industry provides to mitigate risk as much as possible. Above all else, it’s about investing in the protection of your valued guests, to ensure their information doesn’t fall into criminal hands by way of your property.  

Why you need to meet PCI DSS standards

Businesses that store, process and/or transmit cardholder data - including payment gateways like RMS PAY - must comply with PCI DSS. These requirements apply to all payment acceptance channels including retail (brick-and-mortar), mail and telephone order (MOTO) and online.  

 By adopting RMS PAY, you don’t have to worry about being PCI compliant, because we do that for you.  

If you don’t meet PCI DSS standards or you’re not sure if you do, you will need to complete one or more of the following validation tasks: 

• Self-assessment questionnaire 
• Vulnerability scan 
• On-site review with an assessor 

How to meet PCI DSS standards

Only personnel who are trained on PCI DSS compliance and the importance of data security should handle card payments. If you have staff who are not trained in or not confident with PCI DSS compliance and data security, RMS PAY offers several workarounds to help you remain compliant. 

• PAY LINK | Send a Pay Link via email or SMS so the customer can enter their own card details (which will convert to a token in your PMS). Pay Links are 3D secure, meaning that if a liability shift has taken place the onus of the transaction is shifted back to the card issuer, reducing the risk of fraud and giving you a defense against any disputes.  

• ONLINE | For direct bookings, you can use RMS PAY with the RMS Internet Booking Engine (IBE) where the guest can securely fulfil the transaction. This is best paired with the RMS Guest Portal, through which the guest can include any upgrades to their purchase and upload any information you might want to know about their stay. Once again, this is a 3D secure payment method. 

• TERMINAL | An RMS PAY terminal transaction invokes Strong Customer Authentication (SCA) and their card will auto-encrypt as a token within the PMS. Yet another way of mitigating the risk of fraud. 

• OVER THE PHONE | You must ensure the call is taken in a secure environment, away from unauthorised personnel or guests who may overhear the conversation. It is imperative that you do not record any sensitive details (i.e. card number, CVV), so if you’re thinking about writing it down on paper - don’t - instead, RMS PAY will encrypt the card details you enter into the system, converting it to a secure token. When you send payment confirmation to the guest, do not include any sensitive card information. 

PCI compliance standards are designed to eliminate payment methods that are highly susceptible to fraud, and unfortunately, that may include your usual way of doing things. But with a little best practice and a powerful payment gateway like RMS PAY at your side, you’ll be PCI compliant, and you’ll be adopting more efficient ways to take payments. 

What happens if you don't meet PCI DSS standards

Not meeting compliance standards for card payments holds a number of damaging outcomes for businesses and their guests, such as: 

• You could be hit with significant fines 
• You could face legal action 

• You could lose your reputation and the trust of your guests  
• Your revenue could be impacted as a result of damage to your reputation 
• You could be subjected to time-consuming and costly federal audits in the aftermath of a data breach 
• Your guests could have their credit card information leaked and be impacted by fraud 

So, in answer to your questions, if you intend to continue taking and processing payments at your property, whether you like it or not you do need to be PCI compliant and meet data security standards. You can do that in many ways as we’ve discussed, but the easiest way is to do it by adopting RMS PAY, the PCI-compliant payment gateway designed for hospitality that’s natively integrated into RMS’s hospitality management cloud.

That way, you can continue to manage your property all in one place without worry, doing the right thing for your guests and your business.