Here we go again... PCI Compliance

Bed & Breakfast / Short Term Rental Host Forum

Help Support Bed & Breakfast / Short Term Rental Host Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?.
Hey me too. amazon is the only on line place I shop because one click and it is done.
 
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?.
I don't know the specifics but here is a partially educated guess. It could be any combination of the following:
a) Walmart and Amazon are big enough to be own/be their own processing company. While the rules may still apply to them, they aren't going to fine themselves into getting themselves compliant.
b) They probably don't store your full card data, they tie it to a reference number which then ties to your card. Sort of the same way you don't need the credit card number to issue a refund. The refund is tied to the transaction id. THe processing company makes the connection between your card and the transaction id.
c) If they store your data, it is not your data that is stored..it is encrypted, so it becomes some other data...and only becomes your data again when the de-crypt it for processing a specific payment.
d) they are out of compliance but are big enough to not care about the fines (huge by our standards,pennies by theirs) and are taking their own sweet time about getting into compliance.
e) You assume the risk, because in signing up for their service you agree to limited liability or something without reading all the fine print. You make the choice to have yoru card on file. It is kind of like if you leave your credit card on the table in a restaurant while you go to use the restroom, you assume the risk, not the restaurant.
It is probably not any ONE of these but is a combination of several.
 
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?.
I don't know the specifics but here is a partially educated guess. It could be any combination of the following:
a) Walmart and Amazon are big enough to be own/be their own processing company. While the rules may still apply to them, they aren't going to fine themselves into getting themselves compliant.
b) They probably don't store your full card data, they tie it to a reference number which then ties to your card. Sort of the same way you don't need the credit card number to issue a refund. The refund is tied to the transaction id. THe processing company makes the connection between your card and the transaction id.
c) If they store your data, it is not your data that is stored..it is encrypted, so it becomes some other data...and only becomes your data again when the de-crypt it for processing a specific payment.
d) they are out of compliance but are big enough to not care about the fines (huge by our standards,pennies by theirs) and are taking their own sweet time about getting into compliance.
e) You assume the risk, because in signing up for their service you agree to limited liability or something without reading all the fine print. You make the choice to have yoru card on file. It is kind of like if you leave your credit card on the table in a restaurant while you go to use the restroom, you assume the risk, not the restaurant.
It is probably not any ONE of these but is a combination of several.
.
Thanks for taking the time to share various scenarios. I am not worried by it with Amazon. Gosh I bought my self a birthday gift on Tues and it shipped free and arrived today....LOVE IT!!!
 
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?.
knkbnb said:
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
Yes - it is legal/compliant for them to keep it as they are using it for their own purposes. However - they must have an audit done of their own systems based on their transaction levels. They are considered a 1st party in the transaction, meaning they are processing credit cards for their own merchant account. This is the same as BedandBreakfast.com - we are a first party to our own transactions.
However, software and online services like Rezo, Weber, other PMS's etc. that capture a consumer's card on an innkeeper's behalf are called 3rd parties to the transaction - and are considered "Service Providers." Since you are entrusting us with critical information, we are held to a different, and generally higher standard than a 1st party transactor. Any shopping cart provider whether in travel or any type of ecommerce would fall under this category.
Does that help to explain it?
 
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?.
knkbnb said:
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
Yes - it is legal/compliant for them to keep it as they are using it for their own purposes. However - they must have an audit done of their own systems based on their transaction levels. They are considered a 1st party in the transaction, meaning they are processing credit cards for their own merchant account. This is the same as BedandBreakfast.com - we are a first party to our own transactions.
However, software and online services like Rezo, Weber, other PMS's etc. that capture a consumer's card on an innkeeper's behalf are called 3rd parties to the transaction - and are considered "Service Providers." Since you are entrusting us with critical information, we are held to a different, and generally higher standard than a 1st party transactor. Any shopping cart provider whether in travel or any type of ecommerce would fall under this category.
Does that help to explain it?
.
Does that help to explain it?
Oooh Yes that makes a lot more sense than any of my guesses . Thanks.
 
Yes, but those cost more than $55 per year. They are NOW telling me it is because I use a Hypercom-7 that i have to pay the $55. That was not an issue last year. I am on Podunk. My annual revenue would make may others laugh. I am truthfully getting to the point of wondering if it really IS worth it.
I know my town needs a B & B and am fighting like hell to keep it here. But I am also getting tothe point of asking is it worth the effort. Directory fees have risen to the point that Podunk cannot afford them. CC companies and processors are taking their pound of flesh. The county hits business with the highest tax rate possible. Everyone and his brother has his handout for a freebie for their "good cause". And then there is a shocked "what happened?" when the business folds. I have NEVER felt this discouraged. It is bd enough that I cannot afford to take the chance of the old processor dipping into my account to take the $195 fee they plan to charge me for NOT doing business with them (the bank will accept my sidpute the unauthorized charge and take it back BUT there may be a few days window because I have to be able to predict EXACTLY the amount they will charge AFTER I fax the discontinue service forms) coming and bouncing other checks I have written.
It is so discouraging. This is a wonderful business to be in. It is the outside forces (gimme everything you have or will have) that kill ones spirit..
Hi GH - As discovered on another thread we both use First Data as our processor. I also have a Hypercom mine is a T7Plus. Last year when I did my PCI compliance I called FD and had my machine reprogrammed to make sure I was up to the minute in latest programing for compliance. I was told that my machine did NOT store CC #'s! I would contact First Data and discuss this issue about your processor with them. They should be able correct that issue.
I then completed the compliance questions and paid like you $20 for the year. If I am remembering correctly that $20 was far cheaper than some of the others that commented on the PCI topics then....
I have not gotten anything as of yet for this year...I think mine came later in the year last year. Please let me know what you hear on this as it could affect me too. Is Elavon the complany that does the compliance 'certificate' (not sure what to call it)? I can not remember who it was but I was directed to a website last year to become compliant. I would pull it all out but I am in vacation mode (leaving tomorrow) so do not want to pull all that back out.
Believe me I am fastly becoming as disilluisioned as you over the ever increasing cost of doing business yet I have been unable to raise my rates, because to do so would be the death of my business right now. And with 5-6 new hotels which have opened or will by the end of the year, I do not see me doing so in the near future.
 
Yes, but those cost more than $55 per year. They are NOW telling me it is because I use a Hypercom-7 that i have to pay the $55. That was not an issue last year. I am on Podunk. My annual revenue would make may others laugh. I am truthfully getting to the point of wondering if it really IS worth it.
I know my town needs a B & B and am fighting like hell to keep it here. But I am also getting tothe point of asking is it worth the effort. Directory fees have risen to the point that Podunk cannot afford them. CC companies and processors are taking their pound of flesh. The county hits business with the highest tax rate possible. Everyone and his brother has his handout for a freebie for their "good cause". And then there is a shocked "what happened?" when the business folds. I have NEVER felt this discouraged. It is bd enough that I cannot afford to take the chance of the old processor dipping into my account to take the $195 fee they plan to charge me for NOT doing business with them (the bank will accept my sidpute the unauthorized charge and take it back BUT there may be a few days window because I have to be able to predict EXACTLY the amount they will charge AFTER I fax the discontinue service forms) coming and bouncing other checks I have written.
It is so discouraging. This is a wonderful business to be in. It is the outside forces (gimme everything you have or will have) that kill ones spirit..
Hi GH - As discovered on another thread we both use First Data as our processor. I also have a Hypercom mine is a T7Plus. Last year when I did my PCI compliance I called FD and had my machine reprogrammed to make sure I was up to the minute in latest programing for compliance. I was told that my machine did NOT store CC #'s! I would contact First Data and discuss this issue about your processor with them. They should be able correct that issue.
I then completed the compliance questions and paid like you $20 for the year. If I am remembering correctly that $20 was far cheaper than some of the others that commented on the PCI topics then....
I have not gotten anything as of yet for this year...I think mine came later in the year last year. Please let me know what you hear on this as it could affect me too. Is Elavon the complany that does the compliance 'certificate' (not sure what to call it)? I can not remember who it was but I was directed to a website last year to become compliant. I would pull it all out but I am in vacation mode (leaving tomorrow) so do not want to pull all that back out.
Believe me I am fastly becoming as disilluisioned as you over the ever increasing cost of doing business yet I have been unable to raise my rates, because to do so would be the death of my business right now. And with 5-6 new hotels which have opened or will by the end of the year, I do not see me doing so in the near future.
.
Yes, Elavon is the compliance company. So this year they have raised the ante to $55. I have not gone online yet - did not have teh intestinal fortitude to do it yet. I called the toll-free number and was told that the Hypercom T7 I have (yes it is old) stores in memory per Elavon. I also had a reprogram done and the receipts I hand to the guest shows xxxxxx except for the last 4 digits. I will check with First Data and let you know what is.
Since I opened in 1996 I would not be afraid of over-stating things to say well over 1000 rooms have been added in the area. There is a what was a Radi sson when it was built - new name now but open, Fair field Inn, 2 HI Expr ess, Wyn g ate, Mi cro- tel, plus a few others I cannot name at the moment between Morgantown and Clarksburg plus several in Weston to the south and all right along the Interstate. So far, I have put my trust in Higher Authority to guide me in my decisions and to send me guests - which seems to happen when I am most in need.
I am getting tired - not of innkeeping - but all the BS to hang in there.
Enjoy your vacation. Once I get off my dead butt and get my passport started, I can start looking forward to May 2011 when my cousin is going to send me a ticket to come to Germany for a month. My kids can come in to look after DH if he is still clumping along (they can take turns).
 
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?.
knkbnb said:
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
Yes - it is legal/compliant for them to keep it as they are using it for their own purposes. However - they must have an audit done of their own systems based on their transaction levels. They are considered a 1st party in the transaction, meaning they are processing credit cards for their own merchant account. This is the same as BedandBreakfast.com - we are a first party to our own transactions.
However, software and online services like Rezo, Weber, other PMS's etc. that capture a consumer's card on an innkeeper's behalf are called 3rd parties to the transaction - and are considered "Service Providers." Since you are entrusting us with critical information, we are held to a different, and generally higher standard than a 1st party transactor. Any shopping cart provider whether in travel or any type of ecommerce would fall under this category.
Does that help to explain it?
.
Thanks John. That answers my question I think. If I am a first party using it for my purposes, that is different from my online reservation service, which is a third party, and will not store that information once it is given to me. YES?
 
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?.
knkbnb said:
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
Yes - it is legal/compliant for them to keep it as they are using it for their own purposes. However - they must have an audit done of their own systems based on their transaction levels. They are considered a 1st party in the transaction, meaning they are processing credit cards for their own merchant account. This is the same as BedandBreakfast.com - we are a first party to our own transactions.
However, software and online services like Rezo, Weber, other PMS's etc. that capture a consumer's card on an innkeeper's behalf are called 3rd parties to the transaction - and are considered "Service Providers." Since you are entrusting us with critical information, we are held to a different, and generally higher standard than a 1st party transactor. Any shopping cart provider whether in travel or any type of ecommerce would fall under this category.
Does that help to explain it?
.
Thanks John. That answers my question I think. If I am a first party using it for my purposes, that is different from my online reservation service, which is a third party, and will not store that information once it is given to me. YES?
.
knkbnb said:
Thanks John. That answers my question I think. If I am a first party using it for my purposes, that is different from my online reservation service, which is a third party, and will not store that information once it is given to me. YES?
That is partially correct - you are a 1st party as a merchant. Your online reservation service (assuming it is one that captures, transmits OR stores data) is a 3rd party, and specifically called a Service Provider.
YOU - as the merchant - must be PCI compliant. That means YOU are responsible for ONLY using 3rd party products that are PCI compliant. That means anything that you use that captures, transmits, OR stores data must be PCI compliant. This is where it gets VERY sketchy. The only way to be sure anyone is PCI compliant is to make sure they have gone through a full 3rd party audit. Both People's bank and Merit have already contacted us and told us that they will not allow their clients to use Webervations unless it goes through a full 3rd party audit. We suspect this practice will continue.
Virtually every company right now self-audits... you can imagine how well that works. Imagine if every restaurant did its own un-verified health department inspection? Imagine if every auto manufacturer did its own un-verified crash tests? How much weight could you put in either of those?
That is what is happening right now - not a single company in our industry has had their products go through a 3rd party audit including Webervations (except for Rezo GT - which has). Until that happens, you'll never know what you are getting because many vendors claim compliance, but are in blatant violation.
Your processor is also responsible for making sure all of its merchants are compliant - and thus they push you to get compliant... or at least charge you more so if you are not, they get some money to cover the costs I guess!
 
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?.
knkbnb said:
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
Yes - it is legal/compliant for them to keep it as they are using it for their own purposes. However - they must have an audit done of their own systems based on their transaction levels. They are considered a 1st party in the transaction, meaning they are processing credit cards for their own merchant account. This is the same as BedandBreakfast.com - we are a first party to our own transactions.
However, software and online services like Rezo, Weber, other PMS's etc. that capture a consumer's card on an innkeeper's behalf are called 3rd parties to the transaction - and are considered "Service Providers." Since you are entrusting us with critical information, we are held to a different, and generally higher standard than a 1st party transactor. Any shopping cart provider whether in travel or any type of ecommerce would fall under this category.
Does that help to explain it?
.
Thanks John. That answers my question I think. If I am a first party using it for my purposes, that is different from my online reservation service, which is a third party, and will not store that information once it is given to me. YES?
.
knkbnb said:
Thanks John. That answers my question I think. If I am a first party using it for my purposes, that is different from my online reservation service, which is a third party, and will not store that information once it is given to me. YES?
That is partially correct - you are a 1st party as a merchant. Your online reservation service (assuming it is one that captures, transmits OR stores data) is a 3rd party, and specifically called a Service Provider.
YOU - as the merchant - must be PCI compliant. That means YOU are responsible for ONLY using 3rd party products that are PCI compliant. That means anything that you use that captures, transmits, OR stores data must be PCI compliant. This is where it gets VERY sketchy. The only way to be sure anyone is PCI compliant is to make sure they have gone through a full 3rd party audit. Both People's bank and Merit have already contacted us and told us that they will not allow their clients to use Webervations unless it goes through a full 3rd party audit. We suspect this practice will continue.
Virtually every company right now self-audits... you can imagine how well that works. Imagine if every restaurant did its own un-verified health department inspection? Imagine if every auto manufacturer did its own un-verified crash tests? How much weight could you put in either of those?
That is what is happening right now - not a single company in our industry has had their products go through a 3rd party audit including Webervations (except for Rezo GT - which has). Until that happens, you'll never know what you are getting because many vendors claim compliance, but are in blatant violation.
Your processor is also responsible for making sure all of its merchants are compliant - and thus they push you to get compliant... or at least charge you more so if you are not, they get some money to cover the costs I guess!
.
Oops! I accidently emailed this to Swirt-
embaressed_smile.gif

HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
 
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?.
knkbnb said:
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
Yes - it is legal/compliant for them to keep it as they are using it for their own purposes. However - they must have an audit done of their own systems based on their transaction levels. They are considered a 1st party in the transaction, meaning they are processing credit cards for their own merchant account. This is the same as BedandBreakfast.com - we are a first party to our own transactions.
However, software and online services like Rezo, Weber, other PMS's etc. that capture a consumer's card on an innkeeper's behalf are called 3rd parties to the transaction - and are considered "Service Providers." Since you are entrusting us with critical information, we are held to a different, and generally higher standard than a 1st party transactor. Any shopping cart provider whether in travel or any type of ecommerce would fall under this category.
Does that help to explain it?
.
Thanks John. That answers my question I think. If I am a first party using it for my purposes, that is different from my online reservation service, which is a third party, and will not store that information once it is given to me. YES?
.
knkbnb said:
Thanks John. That answers my question I think. If I am a first party using it for my purposes, that is different from my online reservation service, which is a third party, and will not store that information once it is given to me. YES?
That is partially correct - you are a 1st party as a merchant. Your online reservation service (assuming it is one that captures, transmits OR stores data) is a 3rd party, and specifically called a Service Provider.
YOU - as the merchant - must be PCI compliant. That means YOU are responsible for ONLY using 3rd party products that are PCI compliant. That means anything that you use that captures, transmits, OR stores data must be PCI compliant. This is where it gets VERY sketchy. The only way to be sure anyone is PCI compliant is to make sure they have gone through a full 3rd party audit. Both People's bank and Merit have already contacted us and told us that they will not allow their clients to use Webervations unless it goes through a full 3rd party audit. We suspect this practice will continue.
Virtually every company right now self-audits... you can imagine how well that works. Imagine if every restaurant did its own un-verified health department inspection? Imagine if every auto manufacturer did its own un-verified crash tests? How much weight could you put in either of those?
That is what is happening right now - not a single company in our industry has had their products go through a 3rd party audit including Webervations (except for Rezo GT - which has). Until that happens, you'll never know what you are getting because many vendors claim compliance, but are in blatant violation.
Your processor is also responsible for making sure all of its merchants are compliant - and thus they push you to get compliant... or at least charge you more so if you are not, they get some money to cover the costs I guess!
.
Oops! I accidently emailed this to Swirt-
embaressed_smile.gif

HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
.
knkbnb said:
Oops! I accidently emailed this to Swirt-
embaressed_smile.gif

HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
You mean this question?
knkbnb: I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
The answer is that it is okay for them to store your credit card. PCI does allow for storage of credit cards, provided there is a business reason to store it (repeat purchases in the case of Amazon), and the storage mechanism is PCI compliant (encryption, security, etc. all check out).
When it comes to storing credit cards - it is an issue of weighing up the risk of storing them vs. the benefit. In lodging, we strongly discourage storage because the risk of storage is far greater than the benefit of storin them. So when you no longer need them (after checkout for instance), you delete. Keeps your financial risk to an absolute minimum. I believe it is even smarter to delete immediately after charge - period.
 
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?.
knkbnb said:
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
Yes - it is legal/compliant for them to keep it as they are using it for their own purposes. However - they must have an audit done of their own systems based on their transaction levels. They are considered a 1st party in the transaction, meaning they are processing credit cards for their own merchant account. This is the same as BedandBreakfast.com - we are a first party to our own transactions.
However, software and online services like Rezo, Weber, other PMS's etc. that capture a consumer's card on an innkeeper's behalf are called 3rd parties to the transaction - and are considered "Service Providers." Since you are entrusting us with critical information, we are held to a different, and generally higher standard than a 1st party transactor. Any shopping cart provider whether in travel or any type of ecommerce would fall under this category.
Does that help to explain it?
.
Thanks John. That answers my question I think. If I am a first party using it for my purposes, that is different from my online reservation service, which is a third party, and will not store that information once it is given to me. YES?
.
knkbnb said:
Thanks John. That answers my question I think. If I am a first party using it for my purposes, that is different from my online reservation service, which is a third party, and will not store that information once it is given to me. YES?
That is partially correct - you are a 1st party as a merchant. Your online reservation service (assuming it is one that captures, transmits OR stores data) is a 3rd party, and specifically called a Service Provider.
YOU - as the merchant - must be PCI compliant. That means YOU are responsible for ONLY using 3rd party products that are PCI compliant. That means anything that you use that captures, transmits, OR stores data must be PCI compliant. This is where it gets VERY sketchy. The only way to be sure anyone is PCI compliant is to make sure they have gone through a full 3rd party audit. Both People's bank and Merit have already contacted us and told us that they will not allow their clients to use Webervations unless it goes through a full 3rd party audit. We suspect this practice will continue.
Virtually every company right now self-audits... you can imagine how well that works. Imagine if every restaurant did its own un-verified health department inspection? Imagine if every auto manufacturer did its own un-verified crash tests? How much weight could you put in either of those?
That is what is happening right now - not a single company in our industry has had their products go through a 3rd party audit including Webervations (except for Rezo GT - which has). Until that happens, you'll never know what you are getting because many vendors claim compliance, but are in blatant violation.
Your processor is also responsible for making sure all of its merchants are compliant - and thus they push you to get compliant... or at least charge you more so if you are not, they get some money to cover the costs I guess!
.
Oops! I accidently emailed this to Swirt-
embaressed_smile.gif

HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
.
knkbnb said:
Oops! I accidently emailed this to Swirt-
embaressed_smile.gif

HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
You mean this question?
knkbnb: I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
The answer is that it is okay for them to store your credit card. PCI does allow for storage of credit cards, provided there is a business reason to store it (repeat purchases in the case of Amazon), and the storage mechanism is PCI compliant (encryption, security, etc. all check out).
When it comes to storing credit cards - it is an issue of weighing up the risk of storing them vs. the benefit. In lodging, we strongly discourage storage because the risk of storage is far greater than the benefit of storin them. So when you no longer need them (after checkout for instance), you delete. Keeps your financial risk to an absolute minimum. I believe it is even smarter to delete immediately after charge - period.
.
JBanczak said:
knkbnb said:
Oops! I accidently emailed this to Swirt-
embaressed_smile.gif

HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
You mean this question?
knkbnb: I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
The answer is that it is okay for them to store your credit card. PCI does allow for storage of credit cards, provided there is a business reason to store it (repeat purchases in the case of Amazon), and the storage mechanism is PCI compliant (encryption, security, etc. all check out).
When it comes to storing credit cards - it is an issue of weighing up the risk of storing them vs. the benefit. In lodging, we strongly discourage storage because the risk of storage is far greater than the benefit of storin them. So when you no longer need them (after checkout for instance), you delete. Keeps your financial risk to an absolute minimum. I believe it is even smarter to delete immediately after charge - period.
So, I need to destroy my phone reservation forms that have any credit card numbers recorded on them?
 
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?.
knkbnb said:
I need some education.
I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
Yes - it is legal/compliant for them to keep it as they are using it for their own purposes. However - they must have an audit done of their own systems based on their transaction levels. They are considered a 1st party in the transaction, meaning they are processing credit cards for their own merchant account. This is the same as BedandBreakfast.com - we are a first party to our own transactions.
However, software and online services like Rezo, Weber, other PMS's etc. that capture a consumer's card on an innkeeper's behalf are called 3rd parties to the transaction - and are considered "Service Providers." Since you are entrusting us with critical information, we are held to a different, and generally higher standard than a 1st party transactor. Any shopping cart provider whether in travel or any type of ecommerce would fall under this category.
Does that help to explain it?
.
Thanks John. That answers my question I think. If I am a first party using it for my purposes, that is different from my online reservation service, which is a third party, and will not store that information once it is given to me. YES?
.
knkbnb said:
Thanks John. That answers my question I think. If I am a first party using it for my purposes, that is different from my online reservation service, which is a third party, and will not store that information once it is given to me. YES?
That is partially correct - you are a 1st party as a merchant. Your online reservation service (assuming it is one that captures, transmits OR stores data) is a 3rd party, and specifically called a Service Provider.
YOU - as the merchant - must be PCI compliant. That means YOU are responsible for ONLY using 3rd party products that are PCI compliant. That means anything that you use that captures, transmits, OR stores data must be PCI compliant. This is where it gets VERY sketchy. The only way to be sure anyone is PCI compliant is to make sure they have gone through a full 3rd party audit. Both People's bank and Merit have already contacted us and told us that they will not allow their clients to use Webervations unless it goes through a full 3rd party audit. We suspect this practice will continue.
Virtually every company right now self-audits... you can imagine how well that works. Imagine if every restaurant did its own un-verified health department inspection? Imagine if every auto manufacturer did its own un-verified crash tests? How much weight could you put in either of those?
That is what is happening right now - not a single company in our industry has had their products go through a 3rd party audit including Webervations (except for Rezo GT - which has). Until that happens, you'll never know what you are getting because many vendors claim compliance, but are in blatant violation.
Your processor is also responsible for making sure all of its merchants are compliant - and thus they push you to get compliant... or at least charge you more so if you are not, they get some money to cover the costs I guess!
.
Oops! I accidently emailed this to Swirt-
embaressed_smile.gif

HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
.
knkbnb said:
Oops! I accidently emailed this to Swirt-
embaressed_smile.gif

HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
You mean this question?
knkbnb: I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
The answer is that it is okay for them to store your credit card. PCI does allow for storage of credit cards, provided there is a business reason to store it (repeat purchases in the case of Amazon), and the storage mechanism is PCI compliant (encryption, security, etc. all check out).
When it comes to storing credit cards - it is an issue of weighing up the risk of storing them vs. the benefit. In lodging, we strongly discourage storage because the risk of storage is far greater than the benefit of storin them. So when you no longer need them (after checkout for instance), you delete. Keeps your financial risk to an absolute minimum. I believe it is even smarter to delete immediately after charge - period.
.
JBanczak said:
knkbnb said:
Oops! I accidently emailed this to Swirt-
embaressed_smile.gif

HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
You mean this question?
knkbnb: I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
The answer is that it is okay for them to store your credit card. PCI does allow for storage of credit cards, provided there is a business reason to store it (repeat purchases in the case of Amazon), and the storage mechanism is PCI compliant (encryption, security, etc. all check out).
When it comes to storing credit cards - it is an issue of weighing up the risk of storing them vs. the benefit. In lodging, we strongly discourage storage because the risk of storage is far greater than the benefit of storin them. So when you no longer need them (after checkout for instance), you delete. Keeps your financial risk to an absolute minimum. I believe it is even smarter to delete immediately after charge - period.
So, I need to destroy my phone reservation forms that have any credit card numbers recorded on them?
.
Proud Texan said:
JBanczak said:
knkbnb said:
Oops! I accidently emailed this to Swirt-
embaressed_smile.gif

HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
You mean this question?
knkbnb: I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
The answer is that it is okay for them to store your credit card. PCI does allow for storage of credit cards, provided there is a business reason to store it (repeat purchases in the case of Amazon), and the storage mechanism is PCI compliant (encryption, security, etc. all check out).
When it comes to storing credit cards - it is an issue of weighing up the risk of storing them vs. the benefit. In lodging, we strongly discourage storage because the risk of storage is far greater than the benefit of storin them. So when you no longer need them (after checkout for instance), you delete. Keeps your financial risk to an absolute minimum. I believe it is even smarter to delete immediately after charge - period.
So, I need to destroy my phone reservation forms that have any credit card numbers recorded on them?
Yes - definitely do not keep paper records with credit cards on them.
 
OK, yesterday received a call from a company hired by my credit card company to make sure that we were PCI compliant. Confused the heck out of me. DH told me to ask them for my merchant number to make sure that it wasn't a scam.
cheers.gif
Received an email from them today saying that they ran a security check against our computer and we are PCI compliant. Yippee!!!!!!!!!!Still don't understand it entirely. Will have to re-read this thread and try to interpret the technos info.
 
OK, yesterday received a call from a company hired by my credit card company to make sure that we were PCI compliant. Confused the heck out of me. DH told me to ask them for my merchant number to make sure that it wasn't a scam.
cheers.gif
Received an email from them today saying that they ran a security check against our computer and we are PCI compliant. Yippee!!!!!!!!!!Still don't understand it entirely. Will have to re-read this thread and try to interpret the technos info..
Did you give them access to your computer???? I don't understand???? ANd how did you know they were legit? Out of the blue like that I would have contacted your credit card processor to see before doing anything. This doesn't sound kosher to me?????
 
OK, yesterday received a call from a company hired by my credit card company to make sure that we were PCI compliant. Confused the heck out of me. DH told me to ask them for my merchant number to make sure that it wasn't a scam.
cheers.gif
Received an email from them today saying that they ran a security check against our computer and we are PCI compliant. Yippee!!!!!!!!!!Still don't understand it entirely. Will have to re-read this thread and try to interpret the technos info..
I agree with Catlady, something doesn't sound right...they ran a check against your computer? How did they access your computer?
 
We where seriously taken for very expensive trip and are still paying for it...just the machine alone not including the montly fees--EVEN IF WE DONT EVER SWIPE A CARD again was incredible...lets just say it was a charge for a machine that was not worth a 5 year contract to pay for the machine itself, not including all the fees and such. If we where to close out doors tomorrow we would still be bound to pay this contract off....its a rip off that the credit card companies rake in by the billions. And the merchant pays for every nickle, dime and penny. Maybe cash is golden...huh?
 
We where seriously taken for very expensive trip and are still paying for it...just the machine alone not including the montly fees--EVEN IF WE DONT EVER SWIPE A CARD again was incredible...lets just say it was a charge for a machine that was not worth a 5 year contract to pay for the machine itself, not including all the fees and such. If we where to close out doors tomorrow we would still be bound to pay this contract off....its a rip off that the credit card companies rake in by the billions. And the merchant pays for every nickle, dime and penny. Maybe cash is golden...huh?.
birdwatcher said:
We where seriously taken for very expensive trip and are still paying for it...just the machine alone not including the montly fees--EVEN IF WE DONT EVER SWIPE A CARD again was incredible...lets just say it was a charge for a machine that was not worth a 5 year contract to pay for the machine itself, not including all the fees and such. If we where to close out doors tomorrow we would still be bound to pay this contract off....its a rip off that the credit card companies rake in by the billions. And the merchant pays for every nickle, dime and penny. Maybe cash is golden...huh?
That sounds pretty awful - I've heard stories like that before, but never with five years. Ouch. Is there an early termination fee to just get out?
 
We where seriously taken for very expensive trip and are still paying for it...just the machine alone not including the montly fees--EVEN IF WE DONT EVER SWIPE A CARD again was incredible...lets just say it was a charge for a machine that was not worth a 5 year contract to pay for the machine itself, not including all the fees and such. If we where to close out doors tomorrow we would still be bound to pay this contract off....its a rip off that the credit card companies rake in by the billions. And the merchant pays for every nickle, dime and penny. Maybe cash is golden...huh?.
We had a four year lease on ours!!! I hated it..but we were bound. That's what happened because we just switched over from my husband's business account to the B & B one. We were so dumb not to have investigated further!!! Never ever lease a credit card machine folks!!! Do your homework.
 
We where seriously taken for very expensive trip and are still paying for it...just the machine alone not including the montly fees--EVEN IF WE DONT EVER SWIPE A CARD again was incredible...lets just say it was a charge for a machine that was not worth a 5 year contract to pay for the machine itself, not including all the fees and such. If we where to close out doors tomorrow we would still be bound to pay this contract off....its a rip off that the credit card companies rake in by the billions. And the merchant pays for every nickle, dime and penny. Maybe cash is golden...huh?.
birdwatcher said:
We where seriously taken for very expensive trip and are still paying for it...just the machine alone not including the montly fees--EVEN IF WE DONT EVER SWIPE A CARD again was incredible...lets just say it was a charge for a machine that was not worth a 5 year contract to pay for the machine itself, not including all the fees and such. If we where to close out doors tomorrow we would still be bound to pay this contract off....its a rip off that the credit card companies rake in by the billions. And the merchant pays for every nickle, dime and penny. Maybe cash is golden...huh?
That sounds pretty awful - I've heard stories like that before, but never with five years. Ouch. Is there an early termination fee to just get out?
.
I have a processor who is charging me $5 per month to not use the service. I am beyond contract (was when I changed) but they told me there would be a fee of I think it was $195 - which I cannot afford for them to just take out of my account since they DO have my numbers while I fight. So now they have fiugured out ways to make us pay to NOT use their services. Wo knows where i will be in the 3 years I figured it would take at $5 per month.
 
Back
Top