Pulse Legacy Archive January / February 2011 | Seite 20

voices PCI Compliance: What Is It and Why Should I Care? FULL DISCLOSURE: I FRANK PITSIKALIS Frank Pitsikalis is founder and CEO of ResortSuite, a guest-focused hospitality management system. He has over 20 years of experience in hospitality and has worked at top international consulting firms such as Ernst & Young. He also devotes time serving on the executive committee of the board of ISPA and is a past board member of the Leading Spas of Canada. He was a contributing author of ISPA’s resource tools including the Retail Management for Spas, SPA: A Comprehensive Introduction, and the recently released Financial Management for Spas. He can be reached at frank@resortsuite.com. Brewing up ideas? Taking a stand on an issue? Start the conversation. We would love to hear from you. Send in your Voices contribution to mae.manacap-johnson@ispastaff.com. am the CEO of a software company that provides point-ofsale and payment applications to the hospitality industry. This article was written based on a request by spa peers to provide some clarification about what Payment Card Industry (PCI) is, why should we care, and what security steps should we take. WHAT IS PCI COMPLIANCE? As a spa business that accepts credit card payments from customers, it can seem rather daunting to ensure you are taking the appropriate steps to safeguard that information from fraudulent use. The PCI Security Standards Council was formed by the major payment card companies to provide stewardship of the PCI-DSS (Data Security Standards) to help merchants protect customer payment card data. As a business operator, you are considered the merchant in this equation. As a merchant, you have the ultimate responsibility in ensuring your systems and SOPs (standard operating procedures) are PCI compliant. There is fundamentally one question you need to ask your software provider: Do you have a PA-DSS validated application or are you a PCI Level 1 Service Provider? When a payment card data breach occurs, it may be many weeks and months before the merchant is even aware that they had a breach and that their customer’s card data is in the possession of criminals. Even if a merchant wanted to cover up a known breach, their efforts would be futile. The payment card companies have very sophisticated tools that determine, as stolen cards are used and detected, which merchant was the original CPP (Common Point of Purch ase) where the breach occurred. In simple terms, if 100 completely unrelated cards were used fraudulently and had all been used at the same business at one time or another, that would be flagged as the CPP and likely source of the data breach. (Continued on page 20) 18 PULSE ■ December 2010