PCI DSS Compliance/Certification

Bed & Breakfast / Short Term Rental Host Forum

Help Support Bed & Breakfast / Short Term Rental Host Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.

JBloggs

Well-known member
Joined
Oct 7, 2008
Messages
17,744
Reaction score
9
Is there anyone who can explain this in simple terms?
I have 10 pages of information and fines/fees and deadlines being threatened if I don't do these scans etc by the end of Jan to be compliant.
info and videos on this sent from out cc merchant account
https://www.trustwave.com/level4pci/
 
I think the first thing to do is narrow down which category you are in, if you haven't done that already. That tells you what all you have to do to be compliant.
If you store no guest credit card data on your computer that's a big plus. If you don't run credit cards through your computer that's another big plus. If your credit card processing machine is not internet-enabled another big plus.
Not sure what you really need to know at this point. Don't know how much you have done/not done.
 
Do you have an online form to fill out or paper? Are these the questions they are asking you to validate?
  1. Install and maintain a firewall configuration to protect data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored data
  4. Encrypt transmission of cardholders data sensitive information across public networks
  5. Use and regularly update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security
  1. More than likely you have some sort of firewall on your computer.
  2. You've changed the passwords on your booking software
  3. You password protect and/or encrypt or lock up any guest credit card info either on your computer or in a filing cabinet (better to not have it on your computer anywhere)
  4. If you use a card swipe that is not attached to the internet this one is covered already
  5. I'm sure you update your AV!
  6. This one is amorphous, but if it is just you working with cc data you should be sure no one else can get to it
  7. Ditto #6
  8. Ditto
  9. That's #3 again with paper copies
  10. If guest data is on your computer, you'll need to know who is accessing your WiFi network
  11. Try to access guest data on your computer via another computer on your network
  12. Write something up that says what you are doing to protect data
 
Sorry if none of that helped. Point me to a specific page or question and I'll try to be more succinct.
 
Thanks, I am working on a scan right now through that trustwave, I have to provide that to the cc merchant.
Step1) Card acceptance and storage...
oh yeah I save everyone's credit card to a cd. DOH!
I hope I can just pass and not pay high fees! Pathetic, glad I don't do internet sales.
 
Basically COVER YER ASS, keep cc info secure etc. The PCI rules were designed for big business and if we had to do everything they want we would all be out of business
Basically someone would have to prove that YOU were the breach if someone reported their cc had been compromised. Trust me if someone wants cc numbers, they will be able to get them no matter what is in place and we have seen this time and again. CC companies are just covering their own asses so we just have to do the same, but don't get yer knickers in a knot about it.
 
Thanks, I am working on a scan right now through that trustwave, I have to provide that to the cc merchant.
Step1) Card acceptance and storage...
oh yeah I save everyone's credit card to a cd. DOH!
I hope I can just pass and not pay high fees! Pathetic, glad I don't do internet sales..
So it scans your computer? Is that how it works? I think we just had to do a self-survey. Internet sales is a big one. Everybody stores your info if you set up an account.
 
gillumhouse said:
I have a (I think) 2-page form I fill out stating I do not take cc info on the Internet. That is one reason I do not do cc with my online rez. I have to get OFF my computer to use the cc swiper so I hope I have covered my butt. I fill it out and then send it registered - return receipt so I have proof they received it. Costs a bundle, but so far, so good.
The first year, I called the number I was given for questions and the guy finally was able to determine which form I needed although he did not believe me about the online cc info. so i told him - go to my website and make a reservation right now. I will delete it afterward. That was how I convinced him I did not take cc numbers. I saved the form and will just print it out again this year. I will NOT go online and do it because in the fine print it stated it was a third party and off-shore company and i had to click I agree to I have no idea what before I could continue. I will pay the postage.
But K you don't take cc numbers on your computer? Your website is not set up to accept payments of any credit card numbers, webervations or reznexxus is a third party, not you.
If you took that information and kept it in an excel file or printed the cc info up on a sheet of paper, then you are storing it.
 
Thanks, I am working on a scan right now through that trustwave, I have to provide that to the cc merchant.
Step1) Card acceptance and storage...
oh yeah I save everyone's credit card to a cd. DOH!
I hope I can just pass and not pay high fees! Pathetic, glad I don't do internet sales..
So it scans your computer? Is that how it works? I think we just had to do a self-survey. Internet sales is a big one. Everybody stores your info if you set up an account.
.
Alibi Ike said:
So it scans your computer? Is that how it works? I think we just had to do a self-survey. Internet sales is a big one. Everybody stores your info if you set up an account.
yes the survey, then the scan afterward to send to the merchant provider. We don't process any payments online or via the internet, it is a swipe via our phone line from this terminal, it is not attached to any network. Our internet is via cable.
 
gillumhouse said:
I have a (I think) 2-page form I fill out stating I do not take cc info on the Internet. That is one reason I do not do cc with my online rez. I have to get OFF my computer to use the cc swiper so I hope I have covered my butt. I fill it out and then send it registered - return receipt so I have proof they received it. Costs a bundle, but so far, so good.
The first year, I called the number I was given for questions and the guy finally was able to determine which form I needed although he did not believe me about the online cc info. so i told him - go to my website and make a reservation right now. I will delete it afterward. That was how I convinced him I did not take cc numbers. I saved the form and will just print it out again this year. I will NOT go online and do it because in the fine print it stated it was a third party and off-shore company and i had to click I agree to I have no idea what before I could continue. I will pay the postage.
But K you don't take cc numbers on your computer? Your website is not set up to accept payments of any credit card numbers, webervations or reznexxus is a third party, not you.
If you took that information and kept it in an excel file or printed the cc info up on a sheet of paper, then you are storing it..
I am not set up to enter cc numbers on RezKey by my request. I call to get the number. I write it on the rez card but can cut it off after the rez and put it through the shredder - I now put the cc # on the last line of the card. It does not go into my computer any way nor any where.
 
WE are not responsible regarding cc security in our res systems, the res system co's are responsible for that ......
 
WE are not responsible regarding cc security in our res systems, the res system co's are responsible for that .......
agoodman said:
WE are not responsible regarding cc security in our res systems, the res system co's are responsible for that ......
Well yes BUT - we are responsible as it is only due to wanting to do business with us that they are using the system through our websites. And the guest has no idea what system we are using. If the CC was compromised and they would go after the B&B as well as the res. system.
 
When processing charges through QB......my system has to log into the QB site....there the cc info is stored...
Part of their compliance through me is that I have to change password every 30 days.
So far.....I have not received anything regarding compliance since going with QB
That's been my experience
 
Joey, have you determined which level of compliance you have to achieve? There are four PCS DSS compliance levels. The level of compliance you have to meet is based on the number of transactions your company performs each year. Once you figure out the level of pci dss compliance you need to achieve you can take the next steps, as they are different depending on the level you are at. Here is a PCI compliance guide that may help you figure out what is required of you to meet the requirements.
 
I have a (I think) 2-page form I fill out stating I do not take cc info on the Internet. That is one reason I do not do cc with my online rez. I have to get OFF my computer to use the cc swiper so I hope I have covered my butt. I fill it out and then send it registered - return receipt so I have proof they received it. Costs a bundle, but so far, so good.
The first year, I called the number I was given for questions and the guy finally was able to determine which form I needed although he did not believe me about the online cc info. so i told him - go to my website and make a reservation right now. I will delete it afterward. That was how I convinced him I did not take cc numbers. I saved the form and will just print it out again this year. I will NOT go online and do it because in the fine print it stated it was a third party and off-shore company and i had to click I agree to I have no idea what before I could continue. I will pay the postage.
Edited to Add: It is 13 pages of form and instructions. I do not take cc# online and a company I have been too intimidated to cancel just took an extra $25 for non-compliance. I guess I will not be intimidated or lazy come Monday. They told me they were going to take $295 cancellation fee IF I canceled them - it was easier to just give them the $60 per year @ $5 per than risk bouncing checks. I have not used them in at least 3 years but I have to do PCI? I will be sending the completed form to my current processor Monday. Snow today and my post office has weird hours now.
 
Back
Top