Hey me too. amazon is the only on line place I shop because one click and it is done.
Here we go again... PCI Compliance
- Thread starter gillumhouse
- Start date
Help Support Bed & Breakfast / Short Term Rental Host Forum:
swirt
Forum founder. Former Owner.
- Joined
- May 17, 2008
- Messages
- 3,210
- Reaction score
- 1
I don't know the specifics but here is a partially educated guess. It could be any combination of the following:
a) Walmart and Amazon are big enough to be own/be their own processing company. While the rules may still apply to them, they aren't going to fine themselves into getting themselves compliant.
b) They probably don't store your full card data, they tie it to a reference number which then ties to your card. Sort of the same way you don't need the credit card number to issue a refund. The refund is tied to the transaction id. THe processing company makes the connection between your card and the transaction id.
c) If they store your data, it is not your data that is stored..it is encrypted, so it becomes some other data...and only becomes your data again when the de-crypt it for processing a specific payment.
d) they are out of compliance but are big enough to not care about the fines (huge by our standards,pennies by theirs) and are taking their own sweet time about getting into compliance.
e) You assume the risk, because in signing up for their service you agree to limited liability or something without reading all the fine print. You make the choice to have yoru card on file. It is kind of like if you leave your credit card on the table in a restaurant while you go to use the restroom, you assume the risk, not the restaurant.
It is probably not any ONE of these but is a combination of several.
Thanks for taking the time to share various scenarios. I am not worried by it with Amazon. Gosh I bought my self a birthday gift on Tues and it shipped free and arrived today....LOVE IT!!!
Yes - it is legal/compliant for them to keep it as they are using it for their own purposes. However - they must have an audit done of their own systems based on their transaction levels. They are considered a 1st party in the transaction, meaning they are processing credit cards for their own merchant account. This is the same as BedandBreakfast.com - we are a first party to our own transactions.knkbnb said:
However, software and online services like Rezo, Weber, other PMS's etc. that capture a consumer's card on an innkeeper's behalf are called 3rd parties to the transaction - and are considered "Service Providers." Since you are entrusting us with critical information, we are held to a different, and generally higher standard than a 1st party transactor. Any shopping cart provider whether in travel or any type of ecommerce would fall under this category.
Does that help to explain it?
swirt
Forum founder. Former Owner.
- Joined
- May 17, 2008
- Messages
- 3,210
- Reaction score
- 1
Does that help to explain it?
Oooh Yes that makes a lot more sense than any of my guesses . Thanks.
Copperhead
Well-known member
- Joined
- Jun 24, 2008
- Messages
- 5,968
- Reaction score
- 0
Hi GH - As discovered on another thread we both use First Data as our processor. I also have a Hypercom mine is a T7Plus. Last year when I did my PCI compliance I called FD and had my machine reprogrammed to make sure I was up to the minute in latest programing for compliance. I was told that my machine did NOT store CC #'s! I would contact First Data and discuss this issue about your processor with them. They should be able correct that issue.
I then completed the compliance questions and paid like you $20 for the year. If I am remembering correctly that $20 was far cheaper than some of the others that commented on the PCI topics then....
I have not gotten anything as of yet for this year...I think mine came later in the year last year. Please let me know what you hear on this as it could affect me too. Is Elavon the complany that does the compliance 'certificate' (not sure what to call it)? I can not remember who it was but I was directed to a website last year to become compliant. I would pull it all out but I am in vacation mode (leaving tomorrow) so do not want to pull all that back out.
Believe me I am fastly becoming as disilluisioned as you over the ever increasing cost of doing business yet I have been unable to raise my rates, because to do so would be the death of my business right now. And with 5-6 new hotels which have opened or will by the end of the year, I do not see me doing so in the near future.
- Joined
- May 22, 2008
- Messages
- 16,075
- Reaction score
- 747
Yes, Elavon is the compliance company. So this year they have raised the ante to $55. I have not gone online yet - did not have teh intestinal fortitude to do it yet. I called the toll-free number and was told that the Hypercom T7 I have (yes it is old) stores in memory per Elavon. I also had a reprogram done and the receipts I hand to the guest shows xxxxxx except for the last 4 digits. I will check with First Data and let you know what is.
Since I opened in 1996 I would not be afraid of over-stating things to say well over 1000 rooms have been added in the area. There is a what was a Radi sson when it was built - new name now but open, Fair field Inn, 2 HI Expr ess, Wyn g ate, Mi cro- tel, plus a few others I cannot name at the moment between Morgantown and Clarksburg plus several in Weston to the south and all right along the Interstate. So far, I have put my trust in Higher Authority to guide me in my decisions and to send me guests - which seems to happen when I am most in need.
I am getting tired - not of innkeeping - but all the BS to hang in there.
Enjoy your vacation. Once I get off my dead butt and get my passport started, I can start looking forward to May 2011 when my cousin is going to send me a ticket to come to Germany for a month. My kids can come in to look after DH if he is still clumping along (they can take turns).
happykeeper
Well-known member
- Joined
- Dec 11, 2008
- Messages
- 1,758
- Reaction score
- 0
Thanks John. That answers my question I think. If I am a first party using it for my purposes, that is different from my online reservation service, which is a third party, and will not store that information once it is given to me. YES?
That is partially correct - you are a 1st party as a merchant. Your online reservation service (assuming it is one that captures, transmits OR stores data) is a 3rd party, and specifically called a Service Provider.knkbnb said:
YOU - as the merchant - must be PCI compliant. That means YOU are responsible for ONLY using 3rd party products that are PCI compliant. That means anything that you use that captures, transmits, OR stores data must be PCI compliant. This is where it gets VERY sketchy. The only way to be sure anyone is PCI compliant is to make sure they have gone through a full 3rd party audit. Both People's bank and Merit have already contacted us and told us that they will not allow their clients to use Webervations unless it goes through a full 3rd party audit. We suspect this practice will continue.
Virtually every company right now self-audits... you can imagine how well that works. Imagine if every restaurant did its own un-verified health department inspection? Imagine if every auto manufacturer did its own un-verified crash tests? How much weight could you put in either of those?
That is what is happening right now - not a single company in our industry has had their products go through a 3rd party audit including Webervations (except for Rezo GT - which has). Until that happens, you'll never know what you are getting because many vendors claim compliance, but are in blatant violation.
Your processor is also responsible for making sure all of its merchants are compliant - and thus they push you to get compliant... or at least charge you more so if you are not, they get some money to cover the costs I guess!
happykeeper
Well-known member
- Joined
- Dec 11, 2008
- Messages
- 1,758
- Reaction score
- 0
Oops! I accidently emailed this to Swirt-
HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
Oops! I accidently emailed this to Swirt-
HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
.
You mean this question?knkbnb said:Oops! I accidently emailed this to Swirt-
HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
knkbnb: I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
The answer is that it is okay for them to store your credit card. PCI does allow for storage of credit cards, provided there is a business reason to store it (repeat purchases in the case of Amazon), and the storage mechanism is PCI compliant (encryption, security, etc. all check out).
When it comes to storing credit cards - it is an issue of weighing up the risk of storing them vs. the benefit. In lodging, we strongly discourage storage because the risk of storage is far greater than the benefit of storin them. So when you no longer need them (after checkout for instance), you delete. Keeps your financial risk to an absolute minimum. I believe it is even smarter to delete immediately after charge - period.
Proud Texan
Well-known member
- Joined
- May 30, 2008
- Messages
- 2,685
- Reaction score
- 0
Oops! I accidently emailed this to Swirt-
HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
.You mean this question?knkbnb said:Oops! I accidently emailed this to Swirt-
HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
knkbnb: I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
The answer is that it is okay for them to store your credit card. PCI does allow for storage of credit cards, provided there is a business reason to store it (repeat purchases in the case of Amazon), and the storage mechanism is PCI compliant (encryption, security, etc. all check out).
When it comes to storing credit cards - it is an issue of weighing up the risk of storing them vs. the benefit. In lodging, we strongly discourage storage because the risk of storage is far greater than the benefit of storin them. So when you no longer need them (after checkout for instance), you delete. Keeps your financial risk to an absolute minimum. I believe it is even smarter to delete immediately after charge - period.
.
So, I need to destroy my phone reservation forms that have any credit card numbers recorded on them?JBanczak said:You mean this question?knkbnb said:Oops! I accidently emailed this to Swirt-
HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
knkbnb: I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
The answer is that it is okay for them to store your credit card. PCI does allow for storage of credit cards, provided there is a business reason to store it (repeat purchases in the case of Amazon), and the storage mechanism is PCI compliant (encryption, security, etc. all check out).
When it comes to storing credit cards - it is an issue of weighing up the risk of storing them vs. the benefit. In lodging, we strongly discourage storage because the risk of storage is far greater than the benefit of storin them. So when you no longer need them (after checkout for instance), you delete. Keeps your financial risk to an absolute minimum. I believe it is even smarter to delete immediately after charge - period.
Oops! I accidently emailed this to Swirt-
HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
.You mean this question?knkbnb said:Oops! I accidently emailed this to Swirt-
HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
knkbnb: I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
The answer is that it is okay for them to store your credit card. PCI does allow for storage of credit cards, provided there is a business reason to store it (repeat purchases in the case of Amazon), and the storage mechanism is PCI compliant (encryption, security, etc. all check out).
When it comes to storing credit cards - it is an issue of weighing up the risk of storing them vs. the benefit. In lodging, we strongly discourage storage because the risk of storage is far greater than the benefit of storin them. So when you no longer need them (after checkout for instance), you delete. Keeps your financial risk to an absolute minimum. I believe it is even smarter to delete immediately after charge - period.
.So, I need to destroy my phone reservation forms that have any credit card numbers recorded on them?JBanczak said:You mean this question?knkbnb said:Oops! I accidently emailed this to Swirt-
HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
knkbnb: I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
The answer is that it is okay for them to store your credit card. PCI does allow for storage of credit cards, provided there is a business reason to store it (repeat purchases in the case of Amazon), and the storage mechanism is PCI compliant (encryption, security, etc. all check out).
When it comes to storing credit cards - it is an issue of weighing up the risk of storing them vs. the benefit. In lodging, we strongly discourage storage because the risk of storage is far greater than the benefit of storin them. So when you no longer need them (after checkout for instance), you delete. Keeps your financial risk to an absolute minimum. I believe it is even smarter to delete immediately after charge - period.
.
Yes - definitely do not keep paper records with credit cards on them.Proud Texan said:So, I need to destroy my phone reservation forms that have any credit card numbers recorded on them?JBanczak said:You mean this question?knkbnb said:Oops! I accidently emailed this to Swirt-
HMM.. that sounds good but if you go back to my original statement- what is the correct part and what is the not so correct part?
knkbnb: I go to Amazon.com and they have my credit card # on file so that I don't have to enter it each time. Is this PCI compliant?
The answer is that it is okay for them to store your credit card. PCI does allow for storage of credit cards, provided there is a business reason to store it (repeat purchases in the case of Amazon), and the storage mechanism is PCI compliant (encryption, security, etc. all check out).
When it comes to storing credit cards - it is an issue of weighing up the risk of storing them vs. the benefit. In lodging, we strongly discourage storage because the risk of storage is far greater than the benefit of storin them. So when you no longer need them (after checkout for instance), you delete. Keeps your financial risk to an absolute minimum. I believe it is even smarter to delete immediately after charge - period.
JeannineIrish
Well-known member
- Joined
- Jun 15, 2008
- Messages
- 221
- Reaction score
- 0
OK, yesterday received a call from a company hired by my credit card company to make sure that we were PCI compliant. Confused the heck out of me. DH told me to ask them for my merchant number to make sure that it wasn't a scam.
Received an email from them today saying that they ran a security check against our computer and we are PCI compliant. Yippee!!!!!!!!!!Still don't understand it entirely. Will have to re-read this thread and try to interpret the technos info.
Did you give them access to your computer???? I don't understand???? ANd how did you know they were legit? Out of the blue like that I would have contacted your credit card processor to see before doing anything. This doesn't sound kosher to me?????OK, yesterday received a call from a company hired by my credit card company to make sure that we were PCI compliant. Confused the heck out of me. DH told me to ask them for my merchant number to make sure that it wasn't a scam.
Received an email from them today saying that they ran a security check against our computer and we are PCI compliant. Yippee!!!!!!!!!!Still don't understand it entirely. Will have to re-read this thread and try to interpret the technos info..
swirt
Forum founder. Former Owner.
- Joined
- May 17, 2008
- Messages
- 3,210
- Reaction score
- 1
I agree with Catlady, something doesn't sound right...they ran a check against your computer? How did they access your computer?OK, yesterday received a call from a company hired by my credit card company to make sure that we were PCI compliant. Confused the heck out of me. DH told me to ask them for my merchant number to make sure that it wasn't a scam.
Received an email from them today saying that they ran a security check against our computer and we are PCI compliant. Yippee!!!!!!!!!!Still don't understand it entirely. Will have to re-read this thread and try to interpret the technos info..
birdwatcher
Well-known member
- Joined
- Feb 22, 2009
- Messages
- 1,085
- Reaction score
- 0
We where seriously taken for very expensive trip and are still paying for it...just the machine alone not including the montly fees--EVEN IF WE DONT EVER SWIPE A CARD again was incredible...lets just say it was a charge for a machine that was not worth a 5 year contract to pay for the machine itself, not including all the fees and such. If we where to close out doors tomorrow we would still be bound to pay this contract off....its a rip off that the credit card companies rake in by the billions. And the merchant pays for every nickle, dime and penny. Maybe cash is golden...huh?
That sounds pretty awful - I've heard stories like that before, but never with five years. Ouch. Is there an early termination fee to just get out?birdwatcher said:
We had a four year lease on ours!!! I hated it..but we were bound. That's what happened because we just switched over from my husband's business account to the B & B one. We were so dumb not to have investigated further!!! Never ever lease a credit card machine folks!!! Do your homework.
- Joined
- May 22, 2008
- Messages
- 16,075
- Reaction score
- 747
I have a processor who is charging me $5 per month to not use the service. I am beyond contract (was when I changed) but they told me there would be a fee of I think it was $195 - which I cannot afford for them to just take out of my account since they DO have my numbers while I fight. So now they have fiugured out ways to make us pay to NOT use their services. Wo knows where i will be in the 3 years I figured it would take at $5 per month.
