In January, I held a sold-out HFTP webinar on PCI compliance. Along with the “12 Commandments” of PCI compliance, I discussed myths and rumors about compliance, which I wanted to briefly share.
Myth #1 : If a PMS or POS masks (hides) all but the last four digits of a credit card number, the PMS or POS is PCI compliant.
This is a myth: Credit card receipts are guest-facing only; internal mechanisms may not be compliant.
Myth #2 : Hospitality technology vendors do not sell systems that are not PCI compliant.
This is a myth: There is no requirement for vendors to sell PCI compliant systems.
Myth #3 : PCI compliance is costly.
“Costly” is a relative term: The financial costs certainly exist, but the tangible and intangible costs of not being compliant are greater.
Myth #4 : Hotels’ technologies and systems are fairly secure. They are not often breached.
This is a myth: Hospitality technologies are preferred by hackers everywhere…hackers LOVE hospitality technology!
Rumor #1 : Hotel PCI compliance can be checked by internal or external auditors.
This is true: The Institute of Internal Auditors currently offers a PCI Compliance certification program for its members.
Rumor #2 : If a hospitality enterprise accepts credit cards as methods of payment, then that hospitality enterprise has to be “PCI Compliant.”
This is true: No ifs, ands or buts.
Rumor #3 : Franchisees of hotel brands are automatically “PCI Compliant” if they are using the brand’s technologies (PMS, POS).
This is definitely a rumor: Levels of PCI compliance vary by brand, so hotels need to be PCI compliant in and of themselves, regardless of brand requirements.
Jerry Trieber, CPA, CHAE, CFE, CFF, is director of field accounting for Crestline Hotels and Resorts and the HFTP global secretary. Trieber is a frequent speaker at HFTP educational conferences, where he educates the industry on internal controls, fraud prevention, Sarbanes-Oxley Act compliance and PCI compliance.
