Small and independent properties have many operational challenges that large properties and chains don’t because they have entire organizations dedicated to managing their operations. This is especially true when it comes to subjects such as Payment Card Industry (PCI) awareness and compliance. PCI compliance is an area where small and independent hotels rely heavily on professional industry associations such as AH&LA and state associations to provide advice, guidance, and education.
This is a very complex issue and we often find it extremely easy to assure ourselves that we’re just too small to be involved in such a difficult subject—this only applies to the “big guys.” Unfortunately, this is not the case. PCI Compliance is the responsibility of any business that accepts credit/debit cards. The safety and security of each transaction must be ensured by the hotelier.
My acute awareness of PCI compliance occurred at a California Hotel & Lodging Association board meeting a couple of years ago. A colleague, owner of two medium-sized properties in San Francisco and San Diego, announced that he had become the “poster child” for PCI compliance. After spending considerable resources in what he believed were steps to render his properties PCI compliant, much to his dismay, a scammer had been able to intercept guest credit card data residing on their property management computers. This initiated a series of fines, investigations, and new, higher rate fees from the credit card companies for transaction processing. At that time, the hotelier had spent well more than $200,000 in fines and fees and the costs were still accruing. In addition to the horrendous financial burden, the reputation of the property had been severely compromised, the extended investigations and inspections would continue for years to come, and they still had to fix the exposure to a breach.
Another example involves a very small, five-room inn. The property had been processing reservations when a disgruntled former employee managed to hack into its property management computer and extract credit card information from its well-known online reservation system.
Even though your processing companies advertise they are PCI compliant, you are at risk unless you have specifically taken steps to have all credit card data encrypted while in your system.
As a result of learning about the breach my colleague had experienced, I contacted my property management company. The company advised me to institute a system that would capture all our credit cards—from both the PMS and the POS from our restaurant.
Also at the property management company’s recommendation, I contacted various companies that could meet this requirement. We chose Shift4 and went through a very tedious and frustrating period, trying to integrate the PMS, POS, credit card processors (we had two), and Shift4, ensuring each vendor had completed all steps in the process. Being extremely naïve of the various requirements in this process, it took five months to get it all together.
I would highly recommend a project manager to coordinate all vendors and requirements to get the conversion up and running.