PCI Certification

[swirt]

I'll email Tom - he does all of our RezOvation Desktop clients now... and usually I would hear from him if they were contacting inns about this. I'll let you know what I find out.
As an inn though, you can be guilty by association. If you are using a processor that has high chargebacks, Visa can enforce that the processor do evals on everyone as well. It is only a matter of time before this gets tighter and tighter. The crooks get smarter and smarter..

Thanks John.

 

[greyswan]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?

 

[swirt]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

Did they say that it "would be" (meaning the system will do it) or that it "should be" (meaning you have to erase it by hand)? The system right now does not expunge this data on its own. You have to do it by hand, which is a pain.
(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)

 

[Morticia]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

I use SI and I delete the cc info myself.

 

[Morticia]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

Did they say that it "would be" (meaning the system will do it) or that it "should be" (meaning you have to erase it by hand)? The system right now does not expunge this data on its own. You have to do it by hand, which is a pain.
(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)
.

(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)

Yes, you should. And email them the link. The purge button was 'in the works' back in the spring when I called about it.

 

[greyswan]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

Did they say that it "would be" (meaning the system will do it) or that it "should be" (meaning you have to erase it by hand)? The system right now does not expunge this data on its own. You have to do it by hand, which is a pain.
(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)
.

I heard that the system would do it. At what point do you delete the info if the cc info is in as a data base info?

 

[JBanczak]

I'll email Tom - he does all of our RezOvation Desktop clients now... and usually I would hear from him if they were contacting inns about this. I'll let you know what I find out.
As an inn though, you can be guilty by association. If you are using a processor that has high chargebacks, Visa can enforce that the processor do evals on everyone as well. It is only a matter of time before this gets tighter and tighter. The crooks get smarter and smarter..

Thanks John.
.

Does SI provide any PCI scanning/certification? I don't see any on their property websites. If your site and servers are secure - this is really easy to do and not all that expensive. I'm always surprised when I don't see this more often.
I'm not happy to admit that Rezo GT does not have cc purge settings in it btw... they are coming based on IK feedback - and very soon - but unfortunately even a year ago this didn't seem like a big deal so we hadn't made the functionality.
Haven't heard back from Tom yet.
JB

 

[swirt]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

Did they say that it "would be" (meaning the system will do it) or that it "should be" (meaning you have to erase it by hand)? The system right now does not expunge this data on its own. You have to do it by hand, which is a pain.
(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)
.

I heard that the system would do it. At what point do you delete the info if the cc info is in as a data base info?
.

I try to do it after I check them out. (in the evening after the daily batch for the day goes through). The problem is I am sure there are some I've forgotten to delete out and there is no way to search for ones that may have been missed.
The problem is you have to delete it out under "Account" for each transaction (once for deposit, once for final payment if they used a card for each) and you also have to go under "Registration Information" and delete it out from there too. It is a lot of clicks and actions to delete out three of the four fields for the card number (so you kep the last 4 digits), the exp date and the vcode three separate times.
That is one of the features that impresses me with the Rezovation system as you can set it to automatically purge the info at checkout, a certain number of days after checkout, or as soon as the payment is processed.

 

[swirt]

I'll email Tom - he does all of our RezOvation Desktop clients now... and usually I would hear from him if they were contacting inns about this. I'll let you know what I find out.
As an inn though, you can be guilty by association. If you are using a processor that has high chargebacks, Visa can enforce that the processor do evals on everyone as well. It is only a matter of time before this gets tighter and tighter. The crooks get smarter and smarter..

Thanks John.
.

Does SI provide any PCI scanning/certification? I don't see any on their property websites. If your site and servers are secure - this is really easy to do and not all that expensive. I'm always surprised when I don't see this more often.
I'm not happy to admit that Rezo GT does not have cc purge settings in it btw... they are coming based on IK feedback - and very soon - but unfortunately even a year ago this didn't seem like a big deal so we hadn't made the functionality.
Haven't heard back from Tom yet.
JB
.

I'm not happy to admit that Rezo GT does not have cc purge settings in it btw.

Now here I just said (almost at the exact same time in a post above) that it does. So to be clear Rezovation Desktop does have the feature? and Rezovation GT does not?
I could have sworn when I went through the setup of GT that it asked for that preference of when it should be purged. Am I thinking of the booking engine? or am I having a memory of a screen you sent me to look at it?

 

[JBanczak]

I'll email Tom - he does all of our RezOvation Desktop clients now... and usually I would hear from him if they were contacting inns about this. I'll let you know what I find out.
As an inn though, you can be guilty by association. If you are using a processor that has high chargebacks, Visa can enforce that the processor do evals on everyone as well. It is only a matter of time before this gets tighter and tighter. The crooks get smarter and smarter..

Thanks John.
.

Does SI provide any PCI scanning/certification? I don't see any on their property websites. If your site and servers are secure - this is really easy to do and not all that expensive. I'm always surprised when I don't see this more often.
I'm not happy to admit that Rezo GT does not have cc purge settings in it btw... they are coming based on IK feedback - and very soon - but unfortunately even a year ago this didn't seem like a big deal so we hadn't made the functionality.
Haven't heard back from Tom yet.
JB
.

I'm not happy to admit that Rezo GT does not have cc purge settings in it btw.

Now here I just said (almost at the exact same time in a post above) that it does. So to be clear Rezovation Desktop does have the feature? and Rezovation GT does not?
I could have sworn when I went through the setup of GT that it asked for that preference of when it should be purged. Am I thinking of the booking engine? or am I having a memory of a screen you sent me to look at it?
.

You were looking at the prototype of the functionality that I sent you back last spring. It is going live soon. We had hoped to launch it in August, but there were a few more ramifications of doing it that we had not considered - areas in the DB that gave us trouble. Rezo Desktop does not have the purge feature, nor will it ever since it really is quite intricate. Both products use 128bit encryption, strong user password access, etc. - so we think they are the most secure apps out there - but if you don't need it, why keep the liability.

 

[swirt]

I'll email Tom - he does all of our RezOvation Desktop clients now... and usually I would hear from him if they were contacting inns about this. I'll let you know what I find out.
As an inn though, you can be guilty by association. If you are using a processor that has high chargebacks, Visa can enforce that the processor do evals on everyone as well. It is only a matter of time before this gets tighter and tighter. The crooks get smarter and smarter..

Thanks John.
.

Does SI provide any PCI scanning/certification? I don't see any on their property websites. If your site and servers are secure - this is really easy to do and not all that expensive. I'm always surprised when I don't see this more often.
I'm not happy to admit that Rezo GT does not have cc purge settings in it btw... they are coming based on IK feedback - and very soon - but unfortunately even a year ago this didn't seem like a big deal so we hadn't made the functionality.
Haven't heard back from Tom yet.
JB
.

Sorry...so busy wondering why I am having false memories that I forgot to answer your question about SuperInn and PCI scanning/certification. The best answer I have is, I don't know. There is nothing being said about it.

 

[swirt]

I'll email Tom - he does all of our RezOvation Desktop clients now... and usually I would hear from him if they were contacting inns about this. I'll let you know what I find out.
As an inn though, you can be guilty by association. If you are using a processor that has high chargebacks, Visa can enforce that the processor do evals on everyone as well. It is only a matter of time before this gets tighter and tighter. The crooks get smarter and smarter..

Thanks John.
.

Does SI provide any PCI scanning/certification? I don't see any on their property websites. If your site and servers are secure - this is really easy to do and not all that expensive. I'm always surprised when I don't see this more often.
I'm not happy to admit that Rezo GT does not have cc purge settings in it btw... they are coming based on IK feedback - and very soon - but unfortunately even a year ago this didn't seem like a big deal so we hadn't made the functionality.
Haven't heard back from Tom yet.
JB
.

I'm not happy to admit that Rezo GT does not have cc purge settings in it btw.

Now here I just said (almost at the exact same time in a post above) that it does. So to be clear Rezovation Desktop does have the feature? and Rezovation GT does not?
I could have sworn when I went through the setup of GT that it asked for that preference of when it should be purged. Am I thinking of the booking engine? or am I having a memory of a screen you sent me to look at it?
.

You were looking at the prototype of the functionality that I sent you back last spring. It is going live soon. We had hoped to launch it in August, but there were a few more ramifications of doing it that we had not considered - areas in the DB that gave us trouble. Rezo Desktop does not have the purge feature, nor will it ever since it really is quite intricate. Both products use 128bit encryption, strong user password access, etc. - so we think they are the most secure apps out there - but if you don't need it, why keep the liability.
.

Whheewww....thought I had completely lost my mind there.

 

[JBanczak]

I'll email Tom - he does all of our RezOvation Desktop clients now... and usually I would hear from him if they were contacting inns about this. I'll let you know what I find out.
As an inn though, you can be guilty by association. If you are using a processor that has high chargebacks, Visa can enforce that the processor do evals on everyone as well. It is only a matter of time before this gets tighter and tighter. The crooks get smarter and smarter..

Thanks John.
.

Does SI provide any PCI scanning/certification? I don't see any on their property websites. If your site and servers are secure - this is really easy to do and not all that expensive. I'm always surprised when I don't see this more often.
I'm not happy to admit that Rezo GT does not have cc purge settings in it btw... they are coming based on IK feedback - and very soon - but unfortunately even a year ago this didn't seem like a big deal so we hadn't made the functionality.
Haven't heard back from Tom yet.
JB
.

I'm not happy to admit that Rezo GT does not have cc purge settings in it btw.

Now here I just said (almost at the exact same time in a post above) that it does. So to be clear Rezovation Desktop does have the feature? and Rezovation GT does not?
I could have sworn when I went through the setup of GT that it asked for that preference of when it should be purged. Am I thinking of the booking engine? or am I having a memory of a screen you sent me to look at it?
.

You were looking at the prototype of the functionality that I sent you back last spring. It is going live soon. We had hoped to launch it in August, but there were a few more ramifications of doing it that we had not considered - areas in the DB that gave us trouble. Rezo Desktop does not have the purge feature, nor will it ever since it really is quite intricate. Both products use 128bit encryption, strong user password access, etc. - so we think they are the most secure apps out there - but if you don't need it, why keep the liability.
.

Whheewww....thought I had completely lost my mind there.

.

Well I can't vouch for your mind... but you definitely were not hallucinating on this one!

 

[JBanczak]

Heard back from Tom. Here is what he had to say. This is the first I've heard about this type of product myself. I'm checking a few other sources. Honestly, at $6/month seems like a steal to me... however I would be VERY interested in the fine print... For instance, if you get audited, and you have not done the proper scanning, have done your own PCI audit, etc. - would the insurance still cover you? I'm guessing they want you to go through the process of becoming secure. In addition - the scanning services are extra, etc. Either way - interesting product.
Also, the info looks a little old. For instance - the PABP standard they mention expired already. The new standard in effective is called PA-DSS and is even more stringent. Applications with PABP are fine for a couple years, but they are not certifying anyone new on this.
John,
I'm still getting up to speed on this so I think the best thing to do to get some education is go to PAI's website, http://www.paicustomerinfo.com and click on "PAI Secure" to learn the basics. V/MC/Amex/Disc are trying to upgrade security at each individual property that accepts credit cards. There are different rules and regulations detailing what and how credit card information may or may not be stored. I submitted "RezOvations" to PAI three weeks ago to have them check your system and haven't heard back...yet. I will call again on Friday to get an update. PAI is charging $5.95 per month per business as a PCI Compliance Fee starting October 1, 2008. This comes to $71.40 per year. This basically pays for a $50,000.00 insurance policy "IF" any account has a "breach" of security and a forensic investigation is required by Visa and/or MasterCard. I have been told the average forensic investigation costs between $20,000 - $40,000, is paid for by the merchant and is required by Visa and MasterCard in the event of a possible breach of security. "Our" $5.95 a month compares to other processors that are charging, (from statements I have seen), $12.95 a month, $9.95 a month, and one who charges $119.75 for a year. Even though this program was in the planning stage since 2004, it took me totally by surprise as a client called and told me about it rather than my company calling and telling me! That's what I get for being an "independent contractor" to PAI rather than an employee. But my clients are much better off as I can set my own rates as an independent contractor rather than an employee.
I'll give more info as I get it. Best Regards,
Tom Weiskotten

 

[gillumhouse]

Heard back from Tom. Here is what he had to say. This is the first I've heard about this type of product myself. I'm checking a few other sources. Honestly, at $6/month seems like a steal to me... however I would be VERY interested in the fine print... For instance, if you get audited, and you have not done the proper scanning, have done your own PCI audit, etc. - would the insurance still cover you? I'm guessing they want you to go through the process of becoming secure. In addition - the scanning services are extra, etc. Either way - interesting product.
Also, the info looks a little old. For instance - the PABP standard they mention expired already. The new standard in effective is called PA-DSS and is even more stringent. Applications with PABP are fine for a couple years, but they are not certifying anyone new on this.
John,
I'm still getting up to speed on this so I think the best thing to do to get some education is go to PAI's website, http://www.paicustomerinfo.com and click on "PAI Secure" to learn the basics. V/MC/Amex/Disc are trying to upgrade security at each individual property that accepts credit cards. There are different rules and regulations detailing what and how credit card information may or may not be stored. I submitted "RezOvations" to PAI three weeks ago to have them check your system and haven't heard back...yet. I will call again on Friday to get an update. PAI is charging $5.95 per month per business as a PCI Compliance Fee starting October 1, 2008. This comes to $71.40 per year. This basically pays for a $50,000.00 insurance policy "IF" any account has a "breach" of security and a forensic investigation is required by Visa and/or MasterCard. I have been told the average forensic investigation costs between $20,000 - $40,000, is paid for by the merchant and is required by Visa and MasterCard in the event of a possible breach of security. "Our" $5.95 a month compares to other processors that are charging, (from statements I have seen), $12.95 a month, $9.95 a month, and one who charges $119.75 for a year. Even though this program was in the planning stage since 2004, it took me totally by surprise as a client called and told me about it rather than my company calling and telling me! That's what I get for being an "independent contractor" to PAI rather than an employee. But my clients are much better off as I can set my own rates as an independent contractor rather than an employee.
I'll give more info as I get it. Best Regards,
Tom Weiskotten.

My letter gave as sources of info:
www.pcisecuritystandards.org
www.visa.com/cisp
www.mastercard.com/sdp

 

[agoodman]

I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way.

 

[swirt]

Heard back from Tom. Here is what he had to say. This is the first I've heard about this type of product myself. I'm checking a few other sources. Honestly, at $6/month seems like a steal to me... however I would be VERY interested in the fine print... For instance, if you get audited, and you have not done the proper scanning, have done your own PCI audit, etc. - would the insurance still cover you? I'm guessing they want you to go through the process of becoming secure. In addition - the scanning services are extra, etc. Either way - interesting product.
Also, the info looks a little old. For instance - the PABP standard they mention expired already. The new standard in effective is called PA-DSS and is even more stringent. Applications with PABP are fine for a couple years, but they are not certifying anyone new on this.
John,
I'm still getting up to speed on this so I think the best thing to do to get some education is go to PAI's website, http://www.paicustomerinfo.com and click on "PAI Secure" to learn the basics. V/MC/Amex/Disc are trying to upgrade security at each individual property that accepts credit cards. There are different rules and regulations detailing what and how credit card information may or may not be stored. I submitted "RezOvations" to PAI three weeks ago to have them check your system and haven't heard back...yet. I will call again on Friday to get an update. PAI is charging $5.95 per month per business as a PCI Compliance Fee starting October 1, 2008. This comes to $71.40 per year. This basically pays for a $50,000.00 insurance policy "IF" any account has a "breach" of security and a forensic investigation is required by Visa and/or MasterCard. I have been told the average forensic investigation costs between $20,000 - $40,000, is paid for by the merchant and is required by Visa and MasterCard in the event of a possible breach of security. "Our" $5.95 a month compares to other processors that are charging, (from statements I have seen), $12.95 a month, $9.95 a month, and one who charges $119.75 for a year. Even though this program was in the planning stage since 2004, it took me totally by surprise as a client called and told me about it rather than my company calling and telling me! That's what I get for being an "independent contractor" to PAI rather than an employee. But my clients are much better off as I can set my own rates as an independent contractor rather than an employee.
I'll give more info as I get it. Best Regards,
Tom Weiskotten.

Thanks John, That is interesting information. Since Tom deals with so many B&B's you may want to suggest that he send out an email to all his clients clarifying some of this. It would read better than something that just comes down from payment alliance international.
I guess here is another question that you might already have the answer to. I know one of the primary processors you use for Rezovation GT is QuickBooks, do you know what price they are tacking on for this monthly insurance?

 

[JBanczak]

LOL Swirt - I fired an email off to Inuit the minute I got it from Tom, as I do not like surprises on stuff like CC security. I'll let you know what they say! I did go and find the T&C's of this insurance policy btw... Makes for good reading. You can find them here: http://www.royalgroupservices.com/PAI/StatementOfDisclosure.pdf.
As I thought - there are a lot of conditions/exclusions... and a LOT of loopholes. For instance - an exclusion is around 3rd party software - so if a 3rd party company is holding a customer cc for you (like MANY do)... and you have an audit - you wouldn't have coverage. If you are storing in any non-approved (PAPD or PA-DSS) app - you would pay the insurance and you would not be covered... and guess what - there are only a few certified apps in the world - and they tend to be the mucho dinero systems from Micros.... You also need to show you did a full PCI compliance audit of your property, and that you did it properly... of you would not be covered... including network scans, hardware firewalls, you name it - it is an EXTENSIVE document.
Ultimately properties are going to want to do all of this eventually - but it is not an easy process!
Agoodman - anyone who grabs a cc number period - whether just a checksum, or full processing needs to be in compliance. The processing itself is probably the most secure piece of the puzzle.

 

[swirt]

Thanks John.
Insurance is rarely for the benefit of the insured It seems like the loopholes make the insurance worthless for a B&B, except that it is mandated by the processor. I dislike that is it sold to us as it is a method to protect us, when in reality it doesn't protect us at all, it protects the processor.
Please keep us posted on what you hear from QuickBooks.

 

[JBanczak]

Thanks John.
Insurance is rarely for the benefit of the insured It seems like the loopholes make the insurance worthless for a B&B, except that it is mandated by the processor. I dislike that is it sold to us as it is a method to protect us, when in reality it doesn't protect us at all, it protects the processor.
Please keep us posted on what you hear from QuickBooks..

Well, I think ultimately it may protect you, but there is almost no way to do it without forcing PCI compliance. It is like buying private life insurance without getting a physical... Theoretically everyone is going to have to go through compliance at some point any way... which is scary because it is a big job and when it happens the S#$% is going to hit the fan. God forbid a B&B gets majorly hacked and it makes the news... or it is going to hit the fan faster than we will all be prepared to deal with. IF i were a property and I went through compliance, for an extra $6, I might like that peace of mind...
On another note - this policy is not from PAI. It is from Great American Insurance Group, which is a subsidiary of American Financial Group... which means that PAI is just selling it for them, which in turn means that any CC company, or anyone for that matter at all could probably be a reseller... which tells me you are going to see more and more of this springing up.