As a receiver of highly sensitive credit card details, easybooking is required to integrate security measures into JULIA. We make this possible for you as an accommodation provider. With the PCI Card Details module easybooking offers a secure and convenient way to receive the credit card details from your guests. But the handling of the collected credit card data is subject to special security requirements and you have to provide credit card security!
The PCI security standard protects your guests!
The Payment Card Industry Data Security Standard (PCI DSS) regulates payment transactions and the rules around handling of credit card transactions. The first and foremost requirement is that you are not allowed to record credit card data – in any form. This means that as an accommodation provider, you can not write down credit card details, or keep them in a separate document – even if the document is password-protected. It is also forbidden to store the credit card details in a comment field against a booking or on the guest details or registration form.
The punishments as an accommodation provider
Your guests trust you! They will not only spend the night in your accommodation, but will grant you access to their personal information. It is not just about the personal items they leave in the room, but also about sensitive guest data and payment information. Imagine if your computer or laptop is stolen, or someone gains unauthorized access to your easybooking login details and exports the guests details: the moment you lose control over the highly sensitive data of your guests you can no longer guarantee their safety!
In a situation like this, as an accommodation provider, by law you should make a notification to the data security authorities, and inform all affected guests that their personal information has been breached. This is not only unprofessional and embarrassing, but can also be very expensive: if you do not store the credit card details of your guests in accordance with the law, you can be fined up to £500 per credit card. If you do not report the data loss, and the people affected experience unlawful payment transactions that can be attributed to the data theft due to your unlawful data processing, then the situation becomes a whole lot more expensive for you!
easybooking protects credit card information
Here at easybooking we also have to protect the highly sensitive credit card information and provide regular compliance notifications to our partners that our privacy policies are being upheld. We are obliged to treat all data securely and confidentially and process it soley for the purpose it was originally intended. We take measures to ensure the lawful processing of credit card information in order to save both you and us legal inconvenience and expensive penalties.
A recent compliance and security analysis exercise that we carried out revealed that many of the accommodation providers using easybooking were incorrectly storing their guests’ credit card details against bookings – there were over 21,000 records including card number, expiration dates, and CCV numbers on our servers. By doing this these easybooking customers were not only in breach of PCI DSS rules and making themselves liable for fines etc., as well as risking the financial security of their guests, and finally endangering our company, easybooking, as we are responsible for the safe and secure storage of all data held on our servers!
So as a result of this finding, we deleted all these existing credit card details wherever found within our databases on Tuesday, March 6, 2018. This data has been destroyed and recovery is not possible. After doing this we received contact from customers who said they would have liked the opportunity to export the data prior to deletion! As an accommodation provider YOU MUST be aware that you are not allowed to do this, because it is against the law, and in direct violation of PCI DSS rules. Please remember, this is about the safety of your guests, the safety of your own business, and for us ultimately, the safety of our own company.
One good way to look at this situation is… if you were booking a hotel, and providing your credit card details for the deposit, or to pay the final balance, would you want the staff or manager to write down your credit card details and put them in a drawer, or type them into the comments field of your booking in their system? We think we know your answer to this question!
Processing data in the future
Please take the time to think about how you record and process all personal information and highly sensitive information relating to your guests. We know that at first this can seem like an inconvenience, but the results are worth it for your guests, your business and for your own peace of mind.
We are constantly reviewing and improving our systems and products to make them better for customers and guests. We have already prepared some changes for you that are either in place already or coming very soon;
It will soon be possible for guests who use our new guest communication app, SARA, to make payments to accommodation providers securely through the app.
The PCI Credit Card Details module in JULIA now saves card details in an encrypted and tokenized format for 6 months. The number of times that you can view the card details has been increased from two to three times.
TIP: If the card details are relating to a channel booking such as Booking.com or Expedia, then you can log in to your channel extranet account to check if the card details are available for viewing in there, if you still need them after this time.