Credit card information is a necessary piece of data for hotels to obtain in order to conduct business. Unfortunately, the risk that this data can be compromised is a large threat to hotel operations. There are certain guidelines you can follow to help decrease the risk that credit card information is compromised.

Credit Card Authorization

Authorization is required for all credit card transactions. Authorization should occur before any merchandise or service is performed.

If the hotel is fully PCI DSS compliant, the credit card may be swiped through a magnetic stripe reader attached to the Property Management System. (PCI DSS is the Payment Card Industry Data Security Standard. It is a set of security measures that the card brands such as Visa and MasterCard expect the hotel to have in place in order to handle credit card information securely.)

If the hotel is not fully PCI DSS compliant, it is recommended that the credit card number is manually keyed rather than swiped. The simple act of swiping a card puts the information on the magnetic stripe at risk. Criminals have been targeting the Hospitality industry with malicious software designed to look for and copy magnetic stripe data. Entering the credit card details manually into the PMS for authorization is safer than swiping. So is processing a payment directly on a stand alone payment terminal that is not connected to the Property Management System. Do not enter credit card information into comment fields; it will not be protected.

Imprints can be taken if your other payment methods are out of order but steps must be taken to protect the card information on all imprint copies.

Storing credit card information

One way to protect guest information is to reduce the amount of confidential information collected to the minimum needed to provide services to the guest. If you do not need it, then do not ask for it. Once you collect confidential information then you have to protect it.

It is important to be aware of all physical credit card information you have in your hotel so that none of your guests have worries about credit card fraud related to their hotel stay. Treat credit card numbers like cash and don’t leave them lying around for someone to easily steal. All physical credit card information should be stored in a secure place with credit card numbers masked, truncated or encrypted. Additionally, proper shredding of such information should be enforced if the data is contained on a document that does not meet retention requirements.

Periodic checks should be performed to ensure that full credit card numbers are not appearing on guest folios or receipts generated from other areas of the hotel such as the restaurant. Food and Beverage employees should also be instructed regarding the importance of promptly returning the credit card to the owner.

Additionally, review your front desk work space to make sure that folios or other paperwork with credit card details are not easily seen or reachable from the lobby side of the desk. Don’t make it easy for someone to reach over the desk and help themselves to this personally identifiable information!

Prohibited actions

The credit card security code is a three digit number on the back of most cards, or a four digit number on the front of American Express cards. This security code must never be stored, written down, or keyed into a hotel system.

The security code must never be captured on a photocopy so do not take photocopies of a card, and do not ask a guest to send you a photocopy of their card.

Email is not a secure system for sending or receiving credit card information. Do not ask for credit card information by email, chat, or instant messenger. Use the telephone or traditional paper FAX for communicating credit card information.