Skip to main content

Hotel Payment Security: What counts as a PCI violation?


The Payment Card Industry Data Security Standard (PCI DSS) is a detailed set of regulations for businesses managing payment card data to follow. It was established by the Payment Card Industry Security Standards Council (PCI SSC), an alliance of the five major credit card companies: Visa, MasterCard, American Express, Discover, and JCB.

These guidelines ensure that a minimum set of security requirements are met in order to protect cardholder data and accommodate emerging payment methods. If your hotel accepts, stores, processes, or transmits cardholder data – regardless of transaction amount and volume – then you’re expected to comply with PCI DSS.

We’re sharing some common ways you could be in violation and which ones a vendor like Sertifi can help you address.

Violation Hotel Responsibility Vendor Responsibility

Storing Sensitive Cardholder Data: Storing unencrypted or improperly secured cardholder data in electronic or physical form is a violation. For example, paper authorization forms could put you in violation. Additionally, storing card verification codes (CVV/CVC), full magnetic stripe data, or PIN numbers is prohibited.

X

X

Inadequate Access Controls: Failing to restrict access to cardholder data based on the principle of least privilege or neglecting to revoke access when no longer needed.

X

X

Missing or Incomplete Security Policies: PCI DSS requires the development and implementation of comprehensive security policies and procedures. 

X (though vendors can help offload some risk)

 

Lack of Network Security: Inadequate network security measures, such as weak encryption, unsecured wireless networks, or failure to implement firewalls.

X

 

Weak or Default Passwords: Failure to implement strong and unique passwords for employee system access, as well as the use of default or easily guessable passwords.

X

 

Lack of Security Awareness Training: Employees who handle payment card data should receive regular security awareness training to understand the importance of PCI compliance and best practices for data protection.

X

 

Compromised Systems or Data Breaches: This one goes without saying, but if an organization experiences a data breach or security incident resulting in unauthorized access to cardholder data, you’re in violation.

X

X

 

Sertifi is PCI Level 1 compliant and SOC 1 & SOC 2 Type 2 certified​. To learn more, visit our security and compliance page.

About the author

Amy King

Amy King is the director of brand and content marketing at Sertifi. In collaboration with teams across and outside of Sertifi, she guides brand and creative marketing, content strategy, public relations, and community engagement.