How secure are credit card transactions? Is BookingCenter PCI compliant?

The BookingCenter system is behind our corporate firewall, runs with strict security permissions, and is monitored 24 hours a day, 7 days a week by our staff in Canada, Australia, and the United States. Plus, we operate sophisticated backup procedures to assure your data is never compromised.

BookingCenter maintains PCI DSS compliance (SAQ D-SP) and we post both the assessment and quarterly validation of compliance at our webpage: http://www.bookingcenter.com/interfaces-and-modules/mycard/

Our MyPMS product maintains PCI compliance using Company Name:"BookingCenter" and Product name: "MyPMS", with a Version Number 3.5. For more detail, we have implemented TSYS' VirtualNet SSL gateway interface and our TSYS/Vital certification is also listed under the Company Name:"BookingCenter" and Product name: "MyPMS". You can check the Vital/TSYS gateway certification document at the TSYS website where they maintain a list of certified PCI vendors at: http://www.tsys.com/acquiring/  where you can click 'Partner Portal' and then 'Search' for a solution, and put in our 'Partner' name: BookingCenter and then 'Search' and see the results.

MyPMS is also regularly certified by ControlScan, a service provider for continual PCI compliance certification. The latest certified PCI DSS scan certificate can be seen at our webpage: http://www.bookingcenter.com/interfaces-and-modules/mycard/.

In 2017, the Visa Stored Credential Mandate was issued and it affects storage of credit card data.  This one can be confusing for the hotel industry, who often needs to store credit card data from time of booking through check-out.  Here is an example of what Visa is referring to in the Mandate: When a cardholder provides a payment credential to a hotel to cover charges for a specific reservation (confirming a specific booking with an arrival date in the future, ability to pay for food, movies, parking, etc.) that is not considered a stored credential. When a cardholder provides a payment credential to a hotel to cover future potential reservations (i.e. a membership profile), that is considered a stored credential.  Very few BookingCenter customers do this, and our software would not allow for it, as the card will be automatically 'expunged' at no more than 90 days after checkout, as documented in the Credit Card retention Settings area.

If a business is going to store a credential for the first time (which Visa does allow), they must do it after an approved authorization or a valid Account Number Verification. They cannot get a decline and then store the credential for the first time. Also, the business must follow all disclosure rules from Visa notifying the customer that they will be storing their card number.  If your business wishes to store credit card data in a way that the Mandate covers, then you must have notification procedures in place with your customers, and you can't store the cards in MyPMS (as they wil get expunged).

Sometimes, merchants and their representatives know little of the hotel industry and how it relates to PCI compliance.  You may find your Merchant representative expects your software company will pay a Visa-sponsored vendor to add their product/company name to a list of 'PCI Compliant PAD SS companies approved by Visa' (such as what you wish to see at: https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html).  BookingCenter does not do this, as it's not required for a service provider.  Rather, it's only required for a provider of client <--> server software distributed to end users. MyPMS is not such a product.

BookingCenter does store manually entered and swiped credit card data for a user-defined period (from 1-90 days) from departure date. The entire card is stored encrypted using both Oracle and private/public encryption shemas for this time period.  After 6 months, the card number is deleted from all systems, except the last 4 digits and expiration date, which is saved for later retrieval to match with folio entries.  No 'swiped data' is ever stored, nor are 'card ID' values stored.  All auth, batch, and settlement data is transferred via TLS 1.2 through TSYS' 'Sierra' platform via their SSL 2 gateway specification.  

There is a good article at: https://www.pcisecuritystandards.org/saq/how_it_fits.shtml that shows how it 'all fits together' and we have done exactly what is required for PCI compliance, witnessed by us boarding numerous merchants each week. We sometimes get requests for our certification to be a Level 1 PCI certification. BookingCenter will likely never become a level 1 PCI provider, as that costs a lot of money to certify and far exceeds the amount of transactions we process annually. We are level 4 due to the volume of our current transactions, but are certified as a Level 3, as we do continue to grow.

For reference, here are the general guidelines for determining PCI Level certification with Visa:

• PCI Compliance Level 1 - Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
• PCI Compliance Level 2 - Merchants processing 1 million to 6 million Visa transactions annually (all channels)
• PCI Compliance Level 3 - Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
• PCI Compliance Level 4 - Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually

For reference, the general guideline for determining PCI Level certification with Mastercard that BookingCenter falls within is Level 2: 300,000 or less total combined MasterCard and Maestro annual transactions annually.

Anyone asking for a Level 1 certification from BookingCenter is being inaccurate, as BookingCenter does nowhere close to that volume of transactions monthly.  The relevant difference between a Level 1 and Level 3 certification is that consultants are paid to come visit your facilities and perform an audit of software code and processes. These audits cost between $15,000 and $100,000 annually to give the 'appearance' of additional security. BookingCenter won't certify to a higher PCI Level than is necessary in order to continue offering 'best of breed' products and services at affordable rates.

We do not store the CVV2 - also called the CARD ID value - in any of the BookingCenter products. For customers who swipe credit cards in MyPMS, the CVV2 is sent with the authorization, but not stored in the software. For users of the Booking Engine and Point of Sale module with Online Authorizations, the CVV2 value may be sent with an online booking transaction and - emailed separately from the credit card number - to the property owner in a separate email, giving a property manager the responsibility to delete the CVV2 number as required by card issuing banks. This is an inconvenience but it follows PCI rules if used immediately and never stored with card holder data.

v

v