Quantcast

PCI Certification

INNspiring.com | Innkeeper Forum & Innkeeping Resources

Help Support INNspiring.com | Innkeeper Forum & Innkeeping Resources:

gillumhouse

Moderator
Staff member
Moderator
Supporting Member
Joined
May 22, 2008
Messages
15,520
Reaction score
83
Did any of you get the letter from your credit card company regarding PCI Compliance?
Mine said I had to do a compliance of the security of credit card info electronically at my inn.I started to do it online at the site they gave me. Came to a button that said calculate fee WHAT THE???? Fee?
Call the toll-free number and ask what this is all about. There is a $24.95 fee which is a discounted fee from the normal $139. The young man did go through a few steps with me including making a reservation with my Webervatios to see that I do not collect a cc number. He told me a web site that had the necessary form and that I wanted Type 3 (he said finding out which form was the hardest thing on that other site). I filled out the form, printed it, and sent it certified so I will have the proof the processor got it. I was notified that if I was not compliant by Nov 1 I would be penalized $19.95 per month, non-compliant fee. So now I wait to see what happens.
I do not store cc numbers electronically anywhere - period. My feeling is that if they can hack the Pentagon, they can hack a bank. My computer would be creampuff hacking so why would I put cc numbers on it? Many years ago I had a guest e-mail his cc number from Spain. I wrote that baby down and deleted that e-mail so fast it smoked!
Just curious if others got it from their processors.
 

agoodman

Well-known member
Joined
Oct 18, 2008
Messages
818
Reaction score
0
SCAM SCAM but yes you do have to be compliant, but if you use a reputable processor you will be, as you will be if you use a reputable res system (when guest adds cc info)
Basic stuff like the cc number should not appear on printed docs except last 4 digits, you may not store CID code, you have to process refunds wihin x number of days blah blah
 

Morticia

Administrator
Staff member
Administrator
Moderator
Joined
May 22, 2008
Messages
17,274
Reaction score
143
Nope. There was a flurry of that about 3 years ago and then nothing. I wouldn't take any steps to verify anything unless I get it in writing from my own cc processor. Which it appears you did. Are you sure it's from your processor? It does sound scammy to me. Especially the 'reduced rate' thing. Being as my processor never contacts me about anything, no worries.
 

gillumhouse

Moderator
Staff member
Moderator
Supporting Member
Joined
May 22, 2008
Messages
15,520
Reaction score
83
SCAM SCAM but yes you do have to be compliant, but if you use a reputable processor you will be, as you will be if you use a reputable res system (when guest adds cc info)
Basic stuff like the cc number should not appear on printed docs except last 4 digits, you may not store CID code, you have to process refunds wihin x number of days blah blah.
Sorry, but it is not a scam unless being perpetrated by my processor. The letter is on their letterhead and it is an arm of the bank we use for the family account. It is not just a processing company. I was told there is an annual compliance fee of $24.95.
I will find out if filling out the form, which by the way is what is done online, and sending it in will be enough or if it is just another way for the bank ot take my money. Surprise, surprise.
 

agoodman

Well-known member
Joined
Oct 18, 2008
Messages
818
Reaction score
0
SCAM SCAM but yes you do have to be compliant, but if you use a reputable processor you will be, as you will be if you use a reputable res system (when guest adds cc info)
Basic stuff like the cc number should not appear on printed docs except last 4 digits, you may not store CID code, you have to process refunds wihin x number of days blah blah.
Sorry, but it is not a scam unless being perpetrated by my processor. The letter is on their letterhead and it is an arm of the bank we use for the family account. It is not just a processing company. I was told there is an annual compliance fee of $24.95.
I will find out if filling out the form, which by the way is what is done online, and sending it in will be enough or if it is just another way for the bank ot take my money. Surprise, surprise.
.
I understand your concern and wanting to CYA, however anything can be done anyhoe anyway nowadays, like those emails you get from the bank, however before sending info you may want to call Visa/MC merchant processing HQ (not your processor).
 

gillumhouse

Moderator
Staff member
Moderator
Supporting Member
Joined
May 22, 2008
Messages
15,520
Reaction score
83
SCAM SCAM but yes you do have to be compliant, but if you use a reputable processor you will be, as you will be if you use a reputable res system (when guest adds cc info)
Basic stuff like the cc number should not appear on printed docs except last 4 digits, you may not store CID code, you have to process refunds wihin x number of days blah blah.
Sorry, but it is not a scam unless being perpetrated by my processor. The letter is on their letterhead and it is an arm of the bank we use for the family account. It is not just a processing company. I was told there is an annual compliance fee of $24.95.
I will find out if filling out the form, which by the way is what is done online, and sending it in will be enough or if it is just another way for the bank ot take my money. Surprise, surprise.
.
I understand your concern and wanting to CYA, however anything can be done anyhoe anyway nowadays, like those emails you get from the bank, however before sending info you may want to call Visa/MC merchant processing HQ (not your processor).
.
There was a workshop on this at the Governor's Conference last month. I sent a certified letter yesterday with the printed forms which basically were a Do you_________ X Yes __ No
In a cover letter I stated I had no employees and no one else who processed the cards. I just wondered if anyone else had this come up now. They have forms online for those companies with over 1 million in sales and they have a more exacting audit. Audits are being done and are required. Cannot remember the date that all will be in comploance by that was mentioned in that workshop. There are now companies (really surprising isn't it) who do the audit for the companies taking cc for sales - for a sweet fee of course.
 

JBanczak

Well-known member
Joined
Jun 25, 2008
Messages
479
Reaction score
0
Very interesting. We are starting to hear this more and more. The Visa.com website has the definitive, albeit confusing answers. You can see details here: http://usa.visa.com/merchants/risk_management/cisp.html. Theoretically, Visa is setting a date of next October whereby all gateways and processors must certify that they are PCI compliant/their customers are using a certified application. Also in theory this applies to all new merchants right now... In reality, they can only reactively enforce it. We spoke to Visa a few weeks ago, and if they see that particular gateways, processors, or merchants have a higher amount of fraud, chargebacks, or improper classifications - then they would single those out.
I had asked folks on this forum a couple months ago about how many were on lodging gateways - and it seems like the users on this forum should be in very good shape for these upcoming changes - folks seemed to be pretty highly knowledgeable about how to do it properly... i.e. use a lodging gateway, be careful what data you and your designated providers store and how it is stored, and only keep what you need.
Out of curiousity - what webpage did they point you to? Did you verify that this person was actually an employee of your processor/calling from your processor? Have you had high fraud issues lately? Chargebacks? This type of proactive calling seems a little strange. We process cards for over 300 properties and I have not heard of this happening... yet...
 

greyswan

Well-known member
Joined
Jun 3, 2008
Messages
625
Reaction score
0
We received the same compliance info from our processing company.... still reading thru it. It felt like an advertisement rather than actual got-to-know information.
 

gillumhouse

Moderator
Staff member
Moderator
Supporting Member
Joined
May 22, 2008
Messages
15,520
Reaction score
83
Very interesting. We are starting to hear this more and more. The Visa.com website has the definitive, albeit confusing answers. You can see details here: http://usa.visa.com/merchants/risk_management/cisp.html. Theoretically, Visa is setting a date of next October whereby all gateways and processors must certify that they are PCI compliant/their customers are using a certified application. Also in theory this applies to all new merchants right now... In reality, they can only reactively enforce it. We spoke to Visa a few weeks ago, and if they see that particular gateways, processors, or merchants have a higher amount of fraud, chargebacks, or improper classifications - then they would single those out.
I had asked folks on this forum a couple months ago about how many were on lodging gateways - and it seems like the users on this forum should be in very good shape for these upcoming changes - folks seemed to be pretty highly knowledgeable about how to do it properly... i.e. use a lodging gateway, be careful what data you and your designated providers store and how it is stored, and only keep what you need.
Out of curiousity - what webpage did they point you to? Did you verify that this person was actually an employee of your processor/calling from your processor? Have you had high fraud issues lately? Chargebacks? This type of proactive calling seems a little strange. We process cards for over 300 properties and I have not heard of this happening... yet....
My Merchant Services sent me a letter with web site and 800 numbers. When I saw the calculate fee I went spastic and made the phone calls. No one called me. Anyone calling me asking info gets told where to put their socks.
I have never had a chargeback with this company. My only chargeback was probably in 1997 or 1998. I LEARNED from that one. No, as I said, I called them to find out how to answer some of the questions as in who is who. The young men on the other end of my calls were VERY helpful! Pointed me to the freebie forms and after he ascertained that no cc was input to mt Webervations system, told me what form to click on. He said the most difficult part of that site was figuring out what form you needed.
 

YellowSocks

Well-known member
Supporting Member
Joined
May 22, 2008
Messages
2,179
Reaction score
13
I have something or another like this. I think. Maybe somewhere in the heap of my desk.
Eventually I may sit down and figure out what the heck it is. I figure if it's really important I'll get a second notice.
I confess... management by procrastination... it has certain advantages.
=)
Kk.
 

Don Draper

Well-known member
Joined
Aug 10, 2008
Messages
2,863
Reaction score
0
We just went through this and there was something with Webervations that had to be changed...I don't remember the specifics but if you call Webervations Drew can help you with it. It's something to do with how the numbers are displayed/stored on the actual Webervations server.
 

swirt

Forum founder. Former Owner.
Joined
May 17, 2008
Messages
3,210
Reaction score
0
I received something in the mail from Payment Alliance International (those who deal with Tom Weiskotten will recognize the name) that indicated a yearly security fee. (can't find the letter at the moment :( )
And just the other day I received a larger folio of information from the same company explaining what is needed and what needs to be done and that there is an online certification process. It also mentioned optional insurance. Haven't gone through it yet, but I will need to. :(
 

agoodman

Well-known member
Joined
Oct 18, 2008
Messages
818
Reaction score
0
Basically it boils down to this, IF a guest has fraudulent use of their card, and IF they find that the card number was compromised because of something you did then there could be an issue. IF the compromise comes from your processor, your bank or your res system, well then you would have to kick it back through them. IF IF IF - try proving the compromise came from your Inn. These directives are very much aimed at internet businesses which are fraudulently selling goods and services, I don't know about you, but when I first applied for processing, and when I was selling cc processing, I had to have evidence of a physical business location, photo of the business etc.
No need to get knickers in a knot, and of course people are going to try and make money off your business "making sure you are compliant"
 

YellowSocks

Well-known member
Supporting Member
Joined
May 22, 2008
Messages
2,179
Reaction score
13
I received something in the mail from Payment Alliance International (those who deal with Tom Weiskotten will recognize the name) that indicated a yearly security fee. (can't find the letter at the moment :( )
And just the other day I received a larger folio of information from the same company explaining what is needed and what needs to be done and that there is an online certification process. It also mentioned optional insurance. Haven't gone through it yet, but I will need to. :(.
swirt said:
I received something in the mail from Payment Alliance International (those who deal with Tom Weiskotten will recognize the name) that indicated a yearly security fee. (can't find the letter at the moment :( )
And just the other day I received a larger folio of information from the same company explaining what is needed and what needs to be done and that there is an online certification process. It also mentioned optional insurance. Haven't gone through it yet, but I will need to. :(
If you get to yours before I get to mine (extremely likely), would you let me know if I need to dig it out of the pile and deal with it?
Thanks!
=)
Kk.
 

swirt

Forum founder. Former Owner.
Joined
May 17, 2008
Messages
3,210
Reaction score
0
Basically it boils down to this, IF a guest has fraudulent use of their card, and IF they find that the card number was compromised because of something you did then there could be an issue. IF the compromise comes from your processor, your bank or your res system, well then you would have to kick it back through them. IF IF IF - try proving the compromise came from your Inn. These directives are very much aimed at internet businesses which are fraudulently selling goods and services, I don't know about you, but when I first applied for processing, and when I was selling cc processing, I had to have evidence of a physical business location, photo of the business etc.
No need to get knickers in a knot, and of course people are going to try and make money off your business "making sure you are compliant".
agoodman1963 said:
- try proving the compromise came from your Inn.
That would not be the innkeeper's job. The innkeeper's burden would be to prove that it did NOT come from them, and that is nearly impossible to prove. Proving something did or could happen is far easier than proving something didn't happen. Especially when it comes to data.
 

JBanczak

Well-known member
Joined
Jun 25, 2008
Messages
479
Reaction score
0
I'll email Tom - he does all of our RezOvation Desktop clients now... and usually I would hear from him if they were contacting inns about this. I'll let you know what I find out.
As an inn though, you can be guilty by association. If you are using a processor that has high chargebacks, Visa can enforce that the processor do evals on everyone as well. It is only a matter of time before this gets tighter and tighter. The crooks get smarter and smarter.
 

agoodman

Well-known member
Joined
Oct 18, 2008
Messages
818
Reaction score
0
Basically it boils down to this, IF a guest has fraudulent use of their card, and IF they find that the card number was compromised because of something you did then there could be an issue. IF the compromise comes from your processor, your bank or your res system, well then you would have to kick it back through them. IF IF IF - try proving the compromise came from your Inn. These directives are very much aimed at internet businesses which are fraudulently selling goods and services, I don't know about you, but when I first applied for processing, and when I was selling cc processing, I had to have evidence of a physical business location, photo of the business etc.
No need to get knickers in a knot, and of course people are going to try and make money off your business "making sure you are compliant".
agoodman1963 said:
- try proving the compromise came from your Inn.
That would not be the innkeeper's job. The innkeeper's burden would be to prove that it did NOT come from them, and that is nearly impossible to prove. Proving something did or could happen is far easier than proving something didn't happen. Especially when it comes to data.
.
I will respectfully disagree here, the burden of proof would be on the accuser, not the accused.
 

Morticia

Administrator
Staff member
Administrator
Moderator
Joined
May 22, 2008
Messages
17,274
Reaction score
143
Basically it boils down to this, IF a guest has fraudulent use of their card, and IF they find that the card number was compromised because of something you did then there could be an issue. IF the compromise comes from your processor, your bank or your res system, well then you would have to kick it back through them. IF IF IF - try proving the compromise came from your Inn. These directives are very much aimed at internet businesses which are fraudulently selling goods and services, I don't know about you, but when I first applied for processing, and when I was selling cc processing, I had to have evidence of a physical business location, photo of the business etc.
No need to get knickers in a knot, and of course people are going to try and make money off your business "making sure you are compliant".
agoodman1963 said:
- try proving the compromise came from your Inn.
That would not be the innkeeper's job. The innkeeper's burden would be to prove that it did NOT come from them, and that is nearly impossible to prove. Proving something did or could happen is far easier than proving something didn't happen. Especially when it comes to data.
.
I will respectfully disagree here, the burden of proof would be on the accuser, not the accused.
.
agoodman1963 said:
I will respectfully disagree here, the burden of proof would be on the accuser, not the accused.
I think we've been around on this one, too. Basically, you need to read the documentation from your cc processor. THEY are not resposible for anything that goes wrong. The burden is on the POS, which is any one of us.
 
Top