Treat your customers' card data as you would want others to treat yours.

An unstoppable freight-train is about to plow through your building (if it hasn't, already) and the residual damage is up to you! PCI (Payment Card Industry) and CISP (Cardholder Information Security Program) compliance has directly affected small and large merchants as the train makes its way through the business community. The order is according to assessed risk, and the consequences of non-compliance are severe (not to mention the "it's the right thing to do" factor).


If you have a merchant account, protecting your customers' credit card data has always been your obligation, but you probably never had to prove it. If you've ever personally had a payment card compromised, you wish everyone were compliant to give your card number a fighting chance to remain private. It's also alarming to realize that credit card fraud funds terrorism around the world (psst: because so far, it's been a cakewalk for the terrorist folks.).


Particularly in the rental unit business (the nature of a reservation is detailed information), personal data storage is a critical issue. The credit card information portion of that data is so hot, you do not even want to store it if it is at all humanly possible to avoid that scenario.


Alas, you may think compliancy only has to do with your software. Get ready to re-think that idea, because there are a slew of other considerations such as who is looking over the shoulders of your personnel when they are handling sensitive data.


Interesting, applicable links to help you sort through the conundrum:

  • Don't Store Data if You Can Help It
    ~ http://tinyurl.com/7jg3vk

  • Draw Me A Picture Of What I Have To Do To Be PCI Compiant
    ~ http://tinyurl.com/57ux3w

  • Merchant Levels Defined
    ~ http://tinyurl.com/7q7ju7

  • Level 4 Merchant Compliance Program Requirements (by the way, this is probably YOU if you have a good record with your Merchant Services Provider.)
    ~ http://tinyurl.com/957vgs

  • Payment Card Industry (PCI) Data Security Standard This is an easy self-assessment to help you get ready for proving you're compliant.
  • If you never meet your guests face-to-face, you are "A".
  • If you accept money from your guests, face-to-face, at check in and are NOT using Shift4, you are "D".
  • If you are using Shift4 to process your credit card data, you are "C". (The "C"'s are going to have the easiest time with all this.)
    ~ http://tinyurl.com/7n55db

  • A list of validated payment applications (including who they had to pay to validate them).
    ~ http://tinyurl.com/2by23x
    ~ http://tinyurl.com/86ulxv
    NOTE: TCSReservations is scheduled for PA-DSS certification on or before March 1, 2009.
    ~http://www.reservationsbytcs.com

  • What it takes to get a Payment Application version certified.
    ~ http://tinyurl.com/8l7vl8

  • Read an excellent, logical industry white paper (it doesn't have any acronyms in it). And, your business would benefit if you and each employee in your organization were required to read Credit Cards 101.
    ~ http://www.shift4.com/ii_falsesense.htm
    ~ http://www.shift4.com/best_practices.htm

    #####

    http://www.ReservationsByTCS.com/PCI-DSS.htm
    Posted by Eddie and Tina Nelson
    December 2008
    www.TheCompanySoftware.com