- Famous visitors at protel customer: BVB hold training camp at Balance...
- protel Survey: Your guests have all the answers ...
- Ouverture in Milano: For You Hotel and Serenissima count on protel
- protel customers twitter their rooms with protel Room Tweet
- The best Swiss holiday hotels are operating with protel
- protel successful at Arabian Travel Market: Deal with Auris concluded
PCI COMPLIANCE WITH PROTEL
PCI is a credit card data security standard developed by the major credit card companies. The current version of the standard (1.1 | 2008) specifies twelve requirements for compliance. A company processing, storing, or transmitting payment card data must validate their PCI compliance periodically or risk losing their ability to process credit card payments and being audited and/or fined.
This document describes how protel can facilitate PCI Compliance in your hotel:
- Call for action: credit card security in the hospitality industry
- Preliminary strategic considerations
- PCI Compliance with protel: REQUIREMENTS
- Activate the PCI Compliance mode in protel SD
- Prevent the storing of new credit card data - delete legacy CC data
- protel without PCI mode: the reservation dialog
- protel without PCI mode: the guest profile
- protel in PCI mode
- Controll the access to legacy credit card data
- Controll the access to credit card data via user rights
- How to manage the access rights
- Controlling of access via log files
- Disclaimer of liability
Call for action: credit card security in the hospitality industry
Depending on the quantity of credit card transactions processed in your hotel, you are obliged to adopt more or less complex measures to ensure credit card security. These can extend from an optional completion of a questionnaire to a comprehensive "SecurityScan" of the entire company.
Although the reasonableness of many of those quasi additional measures are by all means a subject for debate, that does not change the fact that considerable fines are imposed when data gets lost or is misused as a result of disregarding one of the twelve PCI specifications.
For more detailed information read our PCI Whitepaper. You can also download these instructions on how to set up PCI in protel.
Preliminary strategic considerations
The chief principle of data protection is at the same time its simplest solution: The less data you save, the less data you need to protect. With regard to credit cards this means:
- Confidential identification data (data of the magnetic stripe and the security number) must not be stored at all.
- The storing of cardholder data (PAN, name of the cardholder and expiry date) are permitted on condition that no unauthorized access can follow.
Against this background it is advisable to make some strategic considerations about the handling of credit card data in your hotel:
- Which CC data has to be stored?
- Who needs to be able to input or read CC data?
- Who must be able to edit CC data?
- How long must CC data necessarily be stored?
Accordingly the PCI settings in protel have to provide as restrictively as possible that
- as less as possible CC data are stored.
- the input of new CC data is controlled.
- every access to stored CC data is controlled.
- CC data are deleted as soon as possible.
PCI Compliance with protel: REQUIREMENTS
The protel hotel management systems provide you with several functions that support you to adhere to central specifications of the twelve PCI guidelines.
We describe the most important settings for you in the following.
To make the settings described below you need
- protel version 12.167 (or higher). If an update should be necessary, your protel support team will assist you.
- access to protel SD (system data).
- user right 000 "SD User Administration"
Activate the PCI Compliance mode in protel SD
- protel SD | PCI dialog: activate PCI mode
Open protel SD. Open the dialog "PCI Compliance" via menu Bookkeeping | Settings | PCI Compliance. Activate the PCI Compliance mode by setting a mark into the checkbox. Determine after how many days after check out the credit card data is to be deleted from the reservation. Confirm by clicking [OK]. A click on the button [Information] guides you to this page of the protel website.
Prevent the storing of new credit card data - delete legacy CC data
- protel SD | PCI dialog: delete all CC data
In the same dialog protel offers you to delete credit card data from the time "before PCI".
If you want to delete all credit card data from the guest profiles, set a mark into the corresponding checkbox and confirm by clicking [OK].
- protel SD | PCI dialog: confirmation prompt 1
1. Confirm when prompted:
Are you sure that you do not want to store credit any CC data within the guest profiles anymore?
[Yes] or [No]?
- protel SD | PCI dialog: confirmation prompt 2
2. Confirm when prompted:
Are you sure that you want to delete ALL credit card data from the guest profiles?
[Yes] or [No]?
protel without PCI mode: the reservation dialog
- protel FO | reservation dialog without PCI
If the PCI mode is not activated, credit card information can be entered and edited in the reservation dialog. They can also be transmitted to / from a guest profile.
To do that open the additional dialog "Reservation additional information" by clicking the button [CC]. Enter the type of card, the card number, the validity date and the name of the card holder.
The data can optionally be transmitted to the guest profile or can also be adopted from there, if in earlier reservations data has already been saved there.
protel without PCI mode: the guest profile
- protel FO | guest profile: credit card information
In the guest profile you find the CC data on the card index "Personal Data" in the tree structure under "Credit Cards" for viewing and/or for editing.
protel in PCI mode
- protel FO | guest profile: credit card information
If PCI mode is activated, credit card data entered in the reservation dialog will be stored for the duration of reservation.
After a certain number of days after the check out they will be deleted automatically. (The number of days is defined in the PCI Compliance dialog, see above)
In the guest profile, no credit card data can be entered or viewed at all.
Restrict the access to legacy credit card data
Credit card data that was saved in guest profiles in the "pre-PCI-time" will at first remain unaffected by the PCI mode! CC data will not be displayed in the guest profile any longer but you can still transfer such data to the reservation dialog by pressing the button "Copy from profile" (see picture above).
How you can control the access to such legacy data you will learn in the following chapter on user rights.
If you prefer to part with such legacy data all at once select the function "Delete CC data from all profiles".
Manage the access to credit card data via user rights
Via the protel user administration you can manage and control precisely who can access the sensitive credit card data at all - and what he or she may do with it. We recommend to grant limited access to a minimum of people: Only those who actually HAVE to work with credit cards (e.g. not the staff member of the housekeeping) should be allowed to have access.
| Right | Name of the right | Effect / Recommendation |
| 370 | FO reservation Read CC from profile |
Controls the view of credit card data in the guest profile (register card "Pers. Data"). |
| 371 | FO reservation Write CC to profile |
Controls the transmission of credit card data from the reservation dialog ([CC] | Reservation additional information) to the guest profile (register card "Pers. Data"). This right should be denied all users. |
| 373 | FO reservation Show CC number |
Controls the view of the credit card number in the reservation dialog ([CC]: Reservation additional information). NOTE: Even WITHOUT this right the number of the guest profile can be seen and handled. This right should be denied all users. |
822 | FO Credit cards | Controls the access to the reservation additional information from the reservation dialog (via button [CC]): Only those users who actually have to work with CC data should be granted access. |
Define the access rights for each user group
- protel SD | User administration | Group rights ...
Open protel SD. Via menu "Manager" | "User administration" open the dialog "User administration". On the left hand side of the dialog choose the user group, whose rights you wish to edit. Click the button [Authorities].
In the dialog "Group rights for ..." scroll through the list of "permitted features" on the left hand side. Mark the rights you are going to withdraw (keep [ctrl] key pressed to mark several rights simultaneously). Click the button [prohibit] to transfer the selected rights to the list of "prohibited features" (on the right hand side). Confirm by clicking [OK].
Controll access by log files
Each access is automatically logged and recorded by protel. These event protocols can be reviewed at any time and provide detailed information about who performed which operations in protel.
This log-function is always activated; it cannot be deactivated.
The various reports you can find in protel FO | Office Reporting ("All reports sorted by name") | action protocol [action].
Disclaimer of liability
In preparation of this document, every effort has been made to offer the most current, correct, and clearly expressed information possible. Nevertheless, inadvertent errors in information may occur. In particular but without limiting anything here, protel hotelsoftware GmbH disclaims any responsibility for typographical errors and accuracy of the information that may be contained in this document.
We do not accept any liability for the actuality, correctness, completeness or quality of the provided information; errors and omissions excepted. We are not liable for any damages of conceptual or material type caused by the use and/or application of any information given unless there is evidence of wilful intent or gross neglicence on our part .
We reserve the right to change or improve parts of the instruction or of the entire document without separate announcement of changing, completing or deleting.
