PCI Certification

[agoodman]

LOL Swirt - I fired an email off to Inuit the minute I got it from Tom, as I do not like surprises on stuff like CC security. I'll let you know what they say! I did go and find the T&C's of this insurance policy btw... Makes for good reading. You can find them here: http://www.royalgroupservices.com/PAI/StatementOfDisclosure.pdf.
As I thought - there are a lot of conditions/exclusions... and a LOT of loopholes. For instance - an exclusion is around 3rd party software - so if a 3rd party company is holding a customer cc for you (like MANY do)... and you have an audit - you wouldn't have coverage. If you are storing in any non-approved (PAPD or PA-DSS) app - you would pay the insurance and you would not be covered... and guess what - there are only a few certified apps in the world - and they tend to be the mucho dinero systems from Micros.... You also need to show you did a full PCI compliance audit of your property, and that you did it properly... of you would not be covered... including network scans, hardware firewalls, you name it - it is an EXTENSIVE document.
Ultimately properties are going to want to do all of this eventually - but it is not an easy process!
Agoodman - anyone who grabs a cc number period - whether just a checksum, or full processing needs to be in compliance. The processing itself is probably the most secure piece of the puzzle..

Yes, I agree that all parties need to be in compliance however there seemed to be some confusion around the word "processing" which in general refers to the auth of funds and the settlement of funds, as opposed to just the "checksum" that verifies card digits, exp date and maybe ... whether the card has been blackisted.

I have to go back to the fact that I believe that any companies trying to sell insurance in this regard are just looking for another way to make money. Unless Visa/MC/Amex etc can actually prove that they can hack into your system and steal credit card numbers, the chances of fraudulent charges coming back to you are about NIL. Visa/MC etc have their own insurances to cover this. They do not have the time to look into the small little ops with few chargebacks, they rather just eat the fraudulent charge, reimburse the customer and then recoup that by increasing the interest rates on everyone's cards.
All I am saying here is don't start getting into big panics about this - the PCI requirements started many years ago and basically these letters are saying "you better get your act together (on our parts - make sure your numbers are masked (responsibility of your processor or your res co, don't leave credit card info lying around - your responsibility, don't incl cc numbers in email - your responsibility, don't store CID codes in guest comment areas on res systems - your responsibility, or don't store CID numbers in credit card data fields - your res companies responsibility ... etc etc) because we as banks / processors / res systems have been told we have to get ours together".

 

[swirt]

LOL Swirt - I fired an email off to Inuit the minute I got it from Tom, as I do not like surprises on stuff like CC security. I'll let you know what they say! I did go and find the T&C's of this insurance policy btw... Makes for good reading. You can find them here: http://www.royalgroupservices.com/PAI/StatementOfDisclosure.pdf.
As I thought - there are a lot of conditions/exclusions... and a LOT of loopholes. For instance - an exclusion is around 3rd party software - so if a 3rd party company is holding a customer cc for you (like MANY do)... and you have an audit - you wouldn't have coverage. If you are storing in any non-approved (PAPD or PA-DSS) app - you would pay the insurance and you would not be covered... and guess what - there are only a few certified apps in the world - and they tend to be the mucho dinero systems from Micros.... You also need to show you did a full PCI compliance audit of your property, and that you did it properly... of you would not be covered... including network scans, hardware firewalls, you name it - it is an EXTENSIVE document.
Ultimately properties are going to want to do all of this eventually - but it is not an easy process!
Agoodman - anyone who grabs a cc number period - whether just a checksum, or full processing needs to be in compliance. The processing itself is probably the most secure piece of the puzzle..

Yes, I agree that all parties need to be in compliance however there seemed to be some confusion around the word "processing" which in general refers to the auth of funds and the settlement of funds, as opposed to just the "checksum" that verifies card digits, exp date and maybe ... whether the card has been blackisted.

I have to go back to the fact that I believe that any companies trying to sell insurance in this regard are just looking for another way to make money. Unless Visa/MC/Amex etc can actually prove that they can hack into your system and steal credit card numbers, the chances of fraudulent charges coming back to you are about NIL. Visa/MC etc have their own insurances to cover this. They do not have the time to look into the small little ops with few chargebacks, they rather just eat the fraudulent charge, reimburse the customer and then recoup that by increasing the interest rates on everyone's cards.
All I am saying here is don't start getting into big panics about this - the PCI requirements started many years ago and basically these letters are saying "you better get your act together (on our parts - make sure your numbers are masked (responsibility of your processor or your res co, don't leave credit card info lying around - your responsibility, don't incl cc numbers in email - your responsibility, don't store CID codes in guest comment areas on res systems - your responsibility, or don't store CID numbers in credit card data fields - your res companies responsibility ... etc etc) because we as banks / processors / res systems have been told we have to get ours together".
.

For Payment Alliance International (the company a lot of us use indirectly) it sounds as though the insurance and paid compliance fee is not an option. It sounds as it is required to continue using them for credit card processing. What I am not clear on is whether all processors are going to be adding on a mandatory compliance fee. Time will tell on that one I guess.

 

[agoodman]

Ho Ho Ho well tell your credit card processor this - there are other processors DYING for our business, that will likely give us lower processing rates since we are new clients, that do not require this, so how about you provide me with this "insurance" just because I am a wonderful customer.
Anyone who has not tried not renegotiate their rates with their processor in the last year, or who is no longer in a contract should do so.
As someonre who used to sell credi card processing (I no longer do), I would be happy to take a look at your statements / rates and see where you can save some money.
If any of you are leasing a machine, do what you can to get out of the contract - many processors now providing these for free or you can do online processing or just have that little (PCI compliant!!) swipe panel on your keyboard.
Anyone new thinking of leasing a machine. One word. DON.T

 

[gillumhouse]

I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way..

All I am saying here is don't start getting into big panics about this - the PCI requirements started many years ago and basically these letters are saying "you better get your act together (on our parts - make sure your numbers are masked (responsibility of your processor or your res co, don't leave credit card info lying around - your responsibility, don't incl cc numbers in email - your responsibility, don't store CID codes in guest comment areas on res systems - your responsibility, or don't store CID numbers in credit card data fields - your res companies responsibility ... etc etc) because we as banks / processors / res systems have been told we have to get ours together".
I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way.
I am not getting beligerent or going for anyone's throat. This is just a statement - period and these quotes higlight what I mean. You are not in this line of work any longer. It would be like me, who has not touched a mainframe or been involved with data processing in 15 years, telling Swirt how t run a computer. (and back in my day, I could make those puppies sing!)
These statements are examples of why I post what i do. I got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1. I got the letter a couple weeks ago and had procrastinated until I was not too tired to understand what I was reading.
I was not totally unaware of what I was reading because I had gone to the workshop at Gov Conference - but had thought it applied mainly to the big boys! Silly me. They will juice the little guy first because he does not have the $$ nor the power to buck them!
The posts from John B, Tom W, and Swirt should be enough to convince everyone that this is serious crap and make no mistake about it. We WILL get greased somewhere along the way - the only question is by who, how many who, and how much!
Edited to add: one question on the compliance form was about third parties which thankfully I do not have.

 

[agoodman]

Umm Gillum House my reply was not directed at you, it was general info, the fact that I may no longer be in that line of work does not take away from my experience, not only selling the processing but installing the interfaces between the hotel systems and the credit card processors, so I do have a LITTLE experience here LOL
My point is this - we have SO much that consumes our lives as Innkeepers, I am NOT saying ignore this, I am saying don't get in a panic about it.

 

[gillumhouse]

Umm Gillum House my reply was not directed at you, it was general info, the fact that I may no longer be in that line of work does not take away from my experience, not only selling the processing but installing the interfaces between the hotel systems and the credit card processors, so I do have a LITTLE experience here LOL
My point is this - we have SO much that consumes our lives as Innkeepers, I am NOT saying ignore this, I am saying don't get in a panic about it..

#1 - my disclaimer was that I was not directing at you specifically but yes, I was citing your statements. I do understand you were not aiming at me in particular.
#2 - my point was that although you WERE in the business things change drastically and quickly. What as last year is in the trash heap this year - no policies and new practices! I had 25 years experience running main frames - and was VERY good at what I did - but within 6 months I was chopped liver in the field. Things change.
I do not, and did not, want anyone to sit back and say "I don't have to be concerned with this." We do and if we concern ourselves NOW we will not get bit later. And it just so happens later had arrived for me already!

 

[agoodman]

Umm Gillum House my reply was not directed at you, it was general info, the fact that I may no longer be in that line of work does not take away from my experience, not only selling the processing but installing the interfaces between the hotel systems and the credit card processors, so I do have a LITTLE experience here LOL
My point is this - we have SO much that consumes our lives as Innkeepers, I am NOT saying ignore this, I am saying don't get in a panic about it..

#1 - my disclaimer was that I was not directing at you specifically but yes, I was citing your statements. I do understand you were not aiming at me in particular.
#2 - my point was that although you WERE in the business things change drastically and quickly. What as last year is in the trash heap this year - no policies and new practices! I had 25 years experience running main frames - and was VERY good at what I did - but within 6 months I was chopped liver in the field. Things change.
I do not, and did not, want anyone to sit back and say "I don't have to be concerned with this." We do and if we concern ourselves NOW we will not get bit later. And it just so happens later had arrived for me already!
.

ah, but I did not say DO NOT BE CONCERNED, I said "don't get yer* knickers in a knot" and "don't panic". VERY different kettle of fish!
Us B&B's are open to liability in 100 other ways (sad, but true) which we can be caught on before this ... breathe ... breathe .....breathe, which again I am not saying we should not be concerned about ......
* again not referrring to any particular "yer ..."

 

[JBanczak]

I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way..

All I am saying here is don't start getting into big panics about this - the PCI requirements started many years ago and basically these letters are saying "you better get your act together (on our parts - make sure your numbers are masked (responsibility of your processor or your res co, don't leave credit card info lying around - your responsibility, don't incl cc numbers in email - your responsibility, don't store CID codes in guest comment areas on res systems - your responsibility, or don't store CID numbers in credit card data fields - your res companies responsibility ... etc etc) because we as banks / processors / res systems have been told we have to get ours together".
I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way.
I am not getting beligerent or going for anyone's throat. This is just a statement - period and these quotes higlight what I mean. You are not in this line of work any longer. It would be like me, who has not touched a mainframe or been involved with data processing in 15 years, telling Swirt how t run a computer. (and back in my day, I could make those puppies sing!)
These statements are examples of why I post what i do. I got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1. I got the letter a couple weeks ago and had procrastinated until I was not too tired to understand what I was reading.
I was not totally unaware of what I was reading because I had gone to the workshop at Gov Conference - but had thought it applied mainly to the big boys! Silly me. They will juice the little guy first because he does not have the $$ nor the power to buck them!
The posts from John B, Tom W, and Swirt should be enough to convince everyone that this is serious crap and make no mistake about it. We WILL get greased somewhere along the way - the only question is by who, how many who, and how much!
Edited to add: one question on the compliance form was about third parties which thankfully I do not have.
.

Gillum said:
"got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1."
Wow - did they say that? Technically it is up to each processor when to enforce this onto Level 4 merchants. You can see this right on the Visa website here: http://usa.visa.com/merchants/risk_management/cisp_merchants.html. The quote is: "Validation requirements and dates are determined by the merchant's acquirerValidation requirements and dates are determined by the merchant's acquirer."
I hadn't heard that anyone was going to start charging if you are not compliant. The plot thickens... Who is your processor? I didn't see it in the threads - sorry if I missed it. I have not heard this from PAI, or Intuit. Although - I have noticed that the Visa website (I should be taking screen shots daily - because it changes often) now calls some of the programs the "accelerated" programs...
I know for certain that existing merchants processing before October 1, 2008, do not have to use "PABP or PA-DSS applications" until July of 2010 - which is the date it really hits the fan, and Acquirers MUST ensure everyone is using PA-DSS applications. Right now only new are supposed to. (Which means if you are using an application like a PMS to capture your card in any way at all - it is supposed to be compliant...) You can see that information here on the Visa website here http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html, and I cut and pasted it below. :
[tr]III[/td][td]Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications*[/td][td]10/1/08[/td][/tr]IV[/td][td]VNPs and agents must decertify all vulnerable payment applications**[/td][td]10/1/09[/td][/tr][tr]V[/td][td]Acquirers must ensure their merchants, VNPs and agents use only PA compliant applications***[/td][td]7/1/10[/td][/tr][/table]

 

[gillumhouse]

I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way..

All I am saying here is don't start getting into big panics about this - the PCI requirements started many years ago and basically these letters are saying "you better get your act together (on our parts - make sure your numbers are masked (responsibility of your processor or your res co, don't leave credit card info lying around - your responsibility, don't incl cc numbers in email - your responsibility, don't store CID codes in guest comment areas on res systems - your responsibility, or don't store CID numbers in credit card data fields - your res companies responsibility ... etc etc) because we as banks / processors / res systems have been told we have to get ours together".
I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way.
I am not getting beligerent or going for anyone's throat. This is just a statement - period and these quotes higlight what I mean. You are not in this line of work any longer. It would be like me, who has not touched a mainframe or been involved with data processing in 15 years, telling Swirt how t run a computer. (and back in my day, I could make those puppies sing!)
These statements are examples of why I post what i do. I got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1. I got the letter a couple weeks ago and had procrastinated until I was not too tired to understand what I was reading.
I was not totally unaware of what I was reading because I had gone to the workshop at Gov Conference - but had thought it applied mainly to the big boys! Silly me. They will juice the little guy first because he does not have the $$ nor the power to buck them!
The posts from John B, Tom W, and Swirt should be enough to convince everyone that this is serious crap and make no mistake about it. We WILL get greased somewhere along the way - the only question is by who, how many who, and how much!
Edited to add: one question on the compliance form was about third parties which thankfully I do not have.
.

Gillum said:
"got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1."
Wow - did they say that? Technically it is up to each processor when to enforce this onto Level 4 merchants. You can see this right on the Visa website here: http://usa.visa.com/merchants/risk_management/cisp_merchants.html. The quote is: "Validation requirements and dates are determined by the merchant's acquirerValidation requirements and dates are determined by the merchant's acquirer."
I hadn't heard that anyone was going to start charging if you are not compliant. The plot thickens... Who is your processor? I didn't see it in the threads - sorry if I missed it. I have not heard this from PAI, or Intuit. Although - I have noticed that the Visa website (I should be taking screen shots daily - because it changes often) now calls some of the programs the "accelerated" programs...
I know for certain that existing merchants processing before October 1, 2008, do not have to use "PABP or PA-DSS applications" until July of 2010 - which is the date it really hits the fan, and Acquirers MUST ensure everyone is using PA-DSS applications. Right now only new are supposed to. (Which means if you are using an application like a PMS to capture your card in any way at all - it is supposed to be compliant...) You can see that information here on the Visa website here http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html, and I cut and pasted it below. :
[tr]III[/td][td]Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications*[/td][td]10/1/08[/td][/tr]IV[/td][td]VNPs and agents must decertify all vulnerable payment applications**[/td][td]10/1/09[/td][/tr][tr]V[/td][td]Acquirers must ensure their merchants, VNPs and agents use only PA compliant applications***[/td][td]7/1/10[/td][/tr][/table]
.

I switched to First Data Huntington Merchant Services this Spring. I am with them less than a year and the person I talked to told me I was a level 3 after he checked my webervations to see there was not cc number inputted! I have been procrastinating with Regions who is still charging me $5 per month and tell me it is going to cost me $195 to stop doing business with them even though I was out of contract. I have to call them and get another set of cancil forms sent to me. DH did one of his "you know you should..." that lit my fire & ire and I lost them! I do not need to have $195 removed from my account and start bouncing all over the State!

 

[JBanczak]

I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way..

All I am saying here is don't start getting into big panics about this - the PCI requirements started many years ago and basically these letters are saying "you better get your act together (on our parts - make sure your numbers are masked (responsibility of your processor or your res co, don't leave credit card info lying around - your responsibility, don't incl cc numbers in email - your responsibility, don't store CID codes in guest comment areas on res systems - your responsibility, or don't store CID numbers in credit card data fields - your res companies responsibility ... etc etc) because we as banks / processors / res systems have been told we have to get ours together".
I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way.
I am not getting beligerent or going for anyone's throat. This is just a statement - period and these quotes higlight what I mean. You are not in this line of work any longer. It would be like me, who has not touched a mainframe or been involved with data processing in 15 years, telling Swirt how t run a computer. (and back in my day, I could make those puppies sing!)
These statements are examples of why I post what i do. I got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1. I got the letter a couple weeks ago and had procrastinated until I was not too tired to understand what I was reading.
I was not totally unaware of what I was reading because I had gone to the workshop at Gov Conference - but had thought it applied mainly to the big boys! Silly me. They will juice the little guy first because he does not have the $$ nor the power to buck them!
The posts from John B, Tom W, and Swirt should be enough to convince everyone that this is serious crap and make no mistake about it. We WILL get greased somewhere along the way - the only question is by who, how many who, and how much!
Edited to add: one question on the compliance form was about third parties which thankfully I do not have.
.

Gillum said:
"got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1."
Wow - did they say that? Technically it is up to each processor when to enforce this onto Level 4 merchants. You can see this right on the Visa website here: http://usa.visa.com/merchants/risk_management/cisp_merchants.html. The quote is: "Validation requirements and dates are determined by the merchant's acquirerValidation requirements and dates are determined by the merchant's acquirer."
I hadn't heard that anyone was going to start charging if you are not compliant. The plot thickens... Who is your processor? I didn't see it in the threads - sorry if I missed it. I have not heard this from PAI, or Intuit. Although - I have noticed that the Visa website (I should be taking screen shots daily - because it changes often) now calls some of the programs the "accelerated" programs...
I know for certain that existing merchants processing before October 1, 2008, do not have to use "PABP or PA-DSS applications" until July of 2010 - which is the date it really hits the fan, and Acquirers MUST ensure everyone is using PA-DSS applications. Right now only new are supposed to. (Which means if you are using an application like a PMS to capture your card in any way at all - it is supposed to be compliant...) You can see that information here on the Visa website here http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html, and I cut and pasted it below. :
[tr]III[/td][td]Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications*[/td][td]10/1/08[/td][/tr]IV[/td][td]VNPs and agents must decertify all vulnerable payment applications**[/td][td]10/1/09[/td][/tr][tr]V[/td][td]Acquirers must ensure their merchants, VNPs and agents use only PA compliant applications***[/td][td]7/1/10[/td][/tr][/table]
.

I switched to First Data Huntington Merchant Services this Spring. I am with them less than a year and the person I talked to told me I was a level 3 after he checked my webervations to see there was not cc number inputted! I have been procrastinating with Regions who is still charging me $5 per month and tell me it is going to cost me $195 to stop doing business with them even though I was out of contract. I have to call them and get another set of cancil forms sent to me. DH did one of his "you know you should..." that lit my fire & ire and I lost them! I do not need to have $195 removed from my account and start bouncing all over the State!
.

I do not believe Level 3 is correct. If you are, then we need to do some re-evaluating here because we tell our properties that they generally are level 4...
I looked at your site - and you are not taking cc's online through anyone. If you are not storing the numbers anywhere on site, and you are using a swiper-style machine only - I do not believe you have to do anything whatsoever. Please don't hold me to that - but it should be up to your acquirer and processor to make sure their machine is safe - that should be it, unless I am missing something here.
What more could you be doing?????
With our properties, and anyone taking them online, using a pc to process, using an online portal to process, storing on a pc, etc. - different story, and there is more to be careful about, but not sure how your processor could stick you with this?

 

[gillumhouse]

I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way..

All I am saying here is don't start getting into big panics about this - the PCI requirements started many years ago and basically these letters are saying "you better get your act together (on our parts - make sure your numbers are masked (responsibility of your processor or your res co, don't leave credit card info lying around - your responsibility, don't incl cc numbers in email - your responsibility, don't store CID codes in guest comment areas on res systems - your responsibility, or don't store CID numbers in credit card data fields - your res companies responsibility ... etc etc) because we as banks / processors / res systems have been told we have to get ours together".
I am a little confused by some of these posts, your res system, - even if you can process credit cards through it, is generally NOT the credit card processing company - most of these places contract with a credit card processor in order to process the credit cards through the banking system.
Now if (like me) you don't process your CC through your res system, but your res system does do the "check sum" (which means it verifies the sequence and makeup of the cc numbers, makes sure the exp date is valid and may or may not check that the card is reported stolen) - the res system company does also need to follow some of the compliance rules.
But if your res company is saying they actually do the processing, I would check on that ....... and remember, every "other link in the chain" means you are paying higher rates because everyone is taking their little bite along the way.
I am not getting beligerent or going for anyone's throat. This is just a statement - period and these quotes higlight what I mean. You are not in this line of work any longer. It would be like me, who has not touched a mainframe or been involved with data processing in 15 years, telling Swirt how t run a computer. (and back in my day, I could make those puppies sing!)
These statements are examples of why I post what i do. I got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1. I got the letter a couple weeks ago and had procrastinated until I was not too tired to understand what I was reading.
I was not totally unaware of what I was reading because I had gone to the workshop at Gov Conference - but had thought it applied mainly to the big boys! Silly me. They will juice the little guy first because he does not have the $$ nor the power to buck them!
The posts from John B, Tom W, and Swirt should be enough to convince everyone that this is serious crap and make no mistake about it. We WILL get greased somewhere along the way - the only question is by who, how many who, and how much!
Edited to add: one question on the compliance form was about third parties which thankfully I do not have.
.

Gillum said:
"got the letter and I know what it said - I invite anyone who thinks this is BS that cannot be done to us to pay the $19.95 per month they promised to charge me if I was not compliant by Nov 1."
Wow - did they say that? Technically it is up to each processor when to enforce this onto Level 4 merchants. You can see this right on the Visa website here: http://usa.visa.com/merchants/risk_management/cisp_merchants.html. The quote is: "Validation requirements and dates are determined by the merchant's acquirerValidation requirements and dates are determined by the merchant's acquirer."
I hadn't heard that anyone was going to start charging if you are not compliant. The plot thickens... Who is your processor? I didn't see it in the threads - sorry if I missed it. I have not heard this from PAI, or Intuit. Although - I have noticed that the Visa website (I should be taking screen shots daily - because it changes often) now calls some of the programs the "accelerated" programs...
I know for certain that existing merchants processing before October 1, 2008, do not have to use "PABP or PA-DSS applications" until July of 2010 - which is the date it really hits the fan, and Acquirers MUST ensure everyone is using PA-DSS applications. Right now only new are supposed to. (Which means if you are using an application like a PMS to capture your card in any way at all - it is supposed to be compliant...) You can see that information here on the Visa website here http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html, and I cut and pasted it below. :
[tr]III[/td][td]Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications*[/td][td]10/1/08[/td][/tr]IV[/td][td]VNPs and agents must decertify all vulnerable payment applications**[/td][td]10/1/09[/td][/tr][tr]V[/td][td]Acquirers must ensure their merchants, VNPs and agents use only PA compliant applications***[/td][td]7/1/10[/td][/tr][/table]
.

I switched to First Data Huntington Merchant Services this Spring. I am with them less than a year and the person I talked to told me I was a level 3 after he checked my webervations to see there was not cc number inputted! I have been procrastinating with Regions who is still charging me $5 per month and tell me it is going to cost me $195 to stop doing business with them even though I was out of contract. I have to call them and get another set of cancil forms sent to me. DH did one of his "you know you should..." that lit my fire & ire and I lost them! I do not need to have $195 removed from my account and start bouncing all over the State!
.

I do not believe Level 3 is correct. If you are, then we need to do some re-evaluating here because we tell our properties that they generally are level 4...
I looked at your site - and you are not taking cc's online through anyone. If you are not storing the numbers anywhere on site, and you are using a swiper-style machine only - I do not believe you have to do anything whatsoever. Please don't hold me to that - but it should be up to your acquirer and processor to make sure their machine is safe - that should be it, unless I am missing something here.
What more could you be doing?????
With our properties, and anyone taking them online, using a pc to process, using an online portal to process, storing on a pc, etc. - different story, and there is more to be careful about, but not sure how your processor could stick you with this?
.

Me either. Will see what happens now since I sent in the paperwork (certofied) and also e-mailed it. Saved copies for me just in case.

 

[Samster]

I think what is happening here is that we need to remember that it depends on how your processing & storing cc data. I tend to agree that this marketing for this insurance is another layer for someone to make money. Let's sit back and let the dust settle & get the real skinny on this.

 

[YellowSocks]

OK... I'm lost.
There are 51 (now 52) posts on this forum, and I freely confess my eyes glazed over early on.
I use Tom. I got a letter from PAI. I haven't read it.
Should I?
Is the upshot of all this that I'm going to be charged more money per month?
Sorry... I know I'm being lazy.
I have all kinds of unimpressive excuses about why that is the case.
I do know that if I'm this way, then there are dozens of B&B's out there in the same (or worse) condition.
=)
Kk.

 

[agoodman]

OK... I'm lost.
There are 51 (now 52) posts on this forum, and I freely confess my eyes glazed over early on.
I use Tom. I got a letter from PAI. I haven't read it.
Should I?
Is the upshot of all this that I'm going to be charged more money per month?
Sorry... I know I'm being lazy.
I have all kinds of unimpressive excuses about why that is the case.
I do know that if I'm this way, then there are dozens of B&B's out there in the same (or worse) condition.
=)
Kk..

YS, although the others may disagree with me, I think that is exactly what you should do - WAIT. You are not being lazy, as I mentioned in my previous post, we innkeepers have too much else to spend more time worrying about this, if we deal with reputable companies for cc processing and res, then as long as we are doing the "logical" stuff when it comes to keeping our guest cc info secure then we should be fine (ok let's see the sharks come out teeth bared .....)

 

[gillumhouse]

Had an interesting conversation with a person to be unnamed re this issue. It appears that most, if not all, processors are not compliant and are trying to figure out how to get compliant. Other than processors - like the letter I received - trying to squeeze cash from us right now, it does no look as if WE are going to be "under the gun" for a while. From my past experience legislatively, it is a good idea to start thinking about it now though. Legislation moves slowly but "crack-downs" do not.
I had a "head's up" at the Conference as I have said BUT I left that workshop thinking I had wasted time because it sounded like that was only going to affect the Big Boys. One thing that was brought out (and my source stated his company had just hired someone to do an audit of them so it is verified) the price of an audit will be $20k and up.

 

[Landmark]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

Did they say that it "would be" (meaning the system will do it) or that it "should be" (meaning you have to erase it by hand)? The system right now does not expunge this data on its own. You have to do it by hand, which is a pain.
(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)
.

I heard that the system would do it. At what point do you delete the info if the cc info is in as a data base info?
.

I try to do it after I check them out. (in the evening after the daily batch for the day goes through). The problem is I am sure there are some I've forgotten to delete out and there is no way to search for ones that may have been missed.
The problem is you have to delete it out under "Account" for each transaction (once for deposit, once for final payment if they used a card for each) and you also have to go under "Registration Information" and delete it out from there too. It is a lot of clicks and actions to delete out three of the four fields for the card number (so you kep the last 4 digits), the exp date and the vcode three separate times.
That is one of the features that impresses me with the Rezovation system as you can set it to automatically purge the info at checkout, a certain number of days after checkout, or as soon as the payment is processed.
.

Swirt, you can go to si under contacts then profiles then search by credit card. Just put in 3 to check Amx, 4 to check visa, 5 to check mc & then 6 for discover. Scarey when you see how many cc #'s you have. Also we can not delete the history which used to have all of the cc digits and not just the last 4.

 

[greyswan]

I hate to think that I'll have to go back in to each acct and delete the credit card #s individually.... that will be an all day job!

 

[swirt]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

Did they say that it "would be" (meaning the system will do it) or that it "should be" (meaning you have to erase it by hand)? The system right now does not expunge this data on its own. You have to do it by hand, which is a pain.
(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)
.

I heard that the system would do it. At what point do you delete the info if the cc info is in as a data base info?
.

I try to do it after I check them out. (in the evening after the daily batch for the day goes through). The problem is I am sure there are some I've forgotten to delete out and there is no way to search for ones that may have been missed.
The problem is you have to delete it out under "Account" for each transaction (once for deposit, once for final payment if they used a card for each) and you also have to go under "Registration Information" and delete it out from there too. It is a lot of clicks and actions to delete out three of the four fields for the card number (so you kep the last 4 digits), the exp date and the vcode three separate times.
That is one of the features that impresses me with the Rezovation system as you can set it to automatically purge the info at checkout, a certain number of days after checkout, or as soon as the payment is processed.
.

Swirt, you can go to si under contacts then profiles then search by credit card. Just put in 3 to check Amx, 4 to check visa, 5 to check mc & then 6 for discover. Scarey when you see how many cc #'s you have. Also we can not delete the history which used to have all of the cc digits and not just the last 4.
.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

 

[Morticia]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

Did they say that it "would be" (meaning the system will do it) or that it "should be" (meaning you have to erase it by hand)? The system right now does not expunge this data on its own. You have to do it by hand, which is a pain.
(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)
.

I heard that the system would do it. At what point do you delete the info if the cc info is in as a data base info?
.

I try to do it after I check them out. (in the evening after the daily batch for the day goes through). The problem is I am sure there are some I've forgotten to delete out and there is no way to search for ones that may have been missed.
The problem is you have to delete it out under "Account" for each transaction (once for deposit, once for final payment if they used a card for each) and you also have to go under "Registration Information" and delete it out from there too. It is a lot of clicks and actions to delete out three of the four fields for the card number (so you kep the last 4 digits), the exp date and the vcode three separate times.
That is one of the features that impresses me with the Rezovation system as you can set it to automatically purge the info at checkout, a certain number of days after checkout, or as soon as the payment is processed.
.

Swirt, you can go to si under contacts then profiles then search by credit card. Just put in 3 to check Amx, 4 to check visa, 5 to check mc & then 6 for discover. Scarey when you see how many cc #'s you have. Also we can not delete the history which used to have all of the cc digits and not just the last 4.
.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

I checked a few of those. Most of them are expired cards, as in the expiry date is out of date.

 

[Landmark]

I'll need to call SuperInn about this, too..

I'll need to call SuperInn about this, too.

Do tell when you've talked with them.
.

I spoke with SuperInn.... they said if I use SuperInn for processing my cc's that that info would be erased after processing. Because I am only using it as a database, the info is secure. So it is secure, until someone hacks into it, right? Anyone else using SuperInn and what is your process in handling cc info there?
.

Did they say that it "would be" (meaning the system will do it) or that it "should be" (meaning you have to erase it by hand)? The system right now does not expunge this data on its own. You have to do it by hand, which is a pain.
(hmmm I should go resurect the thread from that other place about our wish lists for availibility systems)
.

I heard that the system would do it. At what point do you delete the info if the cc info is in as a data base info?
.

I try to do it after I check them out. (in the evening after the daily batch for the day goes through). The problem is I am sure there are some I've forgotten to delete out and there is no way to search for ones that may have been missed.
The problem is you have to delete it out under "Account" for each transaction (once for deposit, once for final payment if they used a card for each) and you also have to go under "Registration Information" and delete it out from there too. It is a lot of clicks and actions to delete out three of the four fields for the card number (so you kep the last 4 digits), the exp date and the vcode three separate times.
That is one of the features that impresses me with the Rezovation system as you can set it to automatically purge the info at checkout, a certain number of days after checkout, or as soon as the payment is processed.
.

Swirt, you can go to si under contacts then profiles then search by credit card. Just put in 3 to check Amx, 4 to check visa, 5 to check mc & then 6 for discover. Scarey when you see how many cc #'s you have. Also we can not delete the history which used to have all of the cc digits and not just the last 4.
.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

.

Thanks Landmark. That's an interesting undocumented Easter Egg. And yes, the data stuck there is a bit scary and overwhelming.

I checked a few of those. Most of them are expired cards, as in the expiry date is out of date.
.

I have entered a made up good expiration on a expired card many times if the card had an expired date on it. Most of the time it works, but not everytime.