Hotel Payment Processing Series: The “Alphabet Soup” of Data Privacy Legislation

In support of Data Privacy Week, we’re serving “alphabet soup” in this installment of our payment processing series. Keeping up with data privacy legislation can be tricky enough, but with each new law and regulation, we also gain a new acronym to remember. While a bit rudimentary for many merchants by now, these regulations play an important role in our journey and help us set the stage for the more in-depth discussions to come, so let’s grab a spoon and dig into our first course.

PCI DDS

A slew of major data breaches in the early 2000s, followed up by a hodgepodge of state regulations created in response, prompted the five major credit card brands – Visa, MasterCard, American Express, Discover, and JCB – to come together to self-regulate before the federal government stepped in for them. And so, the Payment Industry Security Standards Council was born.

In 2006, the council gave us the first Payment Card Industry Data Security Standard (PCI DSS). This first iteration, colloquially called the “Dirty Dozen,” was finally a cohesive set of regulations for businesses managing payment card data to follow. The guidelines ensure that a minimum set of security requirements are met to protect cardholder data and accommodate emerging payment methods.

The jury is out on effectiveness in stopping breaches early on, but the DSS has evolved into a powerful set of rules to protect cardholder data, likely a key driver of innovations like tokenization and point-to-point encryption, and undoubtedly the enforcer of stronger and stronger encryption standards. While rigorous to comply with, it’s hard to argue against its effectiveness over the years.

For recommendations on ways to mitigate data breaches, check out our hotel PCI guide.

GDPR

Have you noticed that cookie and acceptable use policies pop-up on nearly every website you visit these days? That’s GDPR at work.

The General Data Protection Regulation (GDPR), approved by the European Parliament in 2016 and effective in 2018, unified data privacy laws across the European Union (EU). The GDPR aims to ensure businesses collect, use, and store data responsibly, remain transparent in how data is used, and requires that companies purge anyone who asks from their data stores. GDPR applies to all data produced by EU citizens, regardless of where the company collecting the data is located, as well as all people whose data is stored within the EU, regardless of whether the person is an EU citizen.

GDPR is even more complex than PCI. Are you a data controller? Data processor? Where do your vendors and third-party partners fall? Where do you end and they begin? This is just the start of questions to ask yourself.

To learn more, visit gdpr.eu – and if you deal with a lot of personal data, we also recommend working with an attorney to ensure you’re not stepping out of bounds. The good news is GDPR is so strict, if you comply with it, it likely means you’re covered for even the most stringent global requirements.

PSD2

The Payment Service Providers Directive (PSD) is a European regulation for electronic payment services, aimed at helping businesses collect payment information more securely. PSD was first introduced in 2007 and has since evolved to PSD2, which now covers more recent services.

Let’s cut through the jargon and straight to the chase: for hotels, it means you need to institute two-factor authentication for card-not-present transactions. There is no single prescribed method for accomplishing this, but for most hotels, it means implementing 3-D Secure (3DS) authentication. Most of the time that means you get a prompt on-screen and a code on your phone when you check out at participating merchants.

My U.S. colleagues likely remember that failed experiment back in 2001 that was the progenitor of 3DS. As cardholders, we were expected to create a password for our cards and then a pop-up would prompt you for it when checking out. The rollout was so slow that everyone forgot their password, plus pop-up blockers prevented you from being prompted most of the time. The process is far better today and works reliably in India, the U.K., EEA, and Australia, where it has been mandated. It can even be used in the U.S. with supporting gateways and processors.

When used properly, 3DS can certainly prevent chargebacks, shifting the liability to the issuer. And with growing support globally, I’m confident it will continue to evolve and improve. However, it’s still relatively new, and there’s opportunity for brands to build more awareness of it in the U.S., so it can be easy to run into issues if you’re unfamiliar with it. Users have also reported issues when using corporate cards where the phone number on the account belongs to someone at the corporate office (not the cardholder).

I've also heard that manually keyed transactions at the front desk that don’t have 3DS data are being declined by some issuers. I’d love to hear from you if you’ve experienced this at your hotels.

Visa has great resources that go deeper on PSD2. Check them out here.

CCPA

The California Consumer Privacy Act of 2018 (CCPA) aims to ensure privacy rights for California consumers. Per the CCPA website, this includes:

1. 1. The right to know about the personal information a business collects about them and how it is used and shared.
   2. The right to delete personal information collected from them.
   3. The right to correct inaccurate personal information that a business has about them.
   4. The right to limit the use and disclosure of sensitive personal information collected about them.
   5. The right to opt-out of the sale or sharing of their personal information.
   6. The right to non-discrimination for exercising their CCPA rights.
      
      

Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices. CCPA and GDPR are often considered very similar, though I have been told by some that they focus on GDPR, which covers much if not all of the CCPA.

Nacha

The National Automated Clearing House Association (Nacha) manages the administration, development, and governance of the ACH network, the electronic system that facilitates the movement of money within the U.S. Said simpler, this is the U.S. bank-to-bank transfer network or, in the Sertifi use case, the network for processing electronic checks. Businesses that accept ACH payments must abide by Nacha’s rules, which include:

1. 1. Only using secure web forms and encrypted emails to transmit payment information.
   2. Validating account holder identities before a transaction can be completed.
   3. Safely storing hard copies of documents containing sensitive customer data, including scanned paper authorizations.
   4. Encrypt payment information on computer systems while at rest (if the business processing 2+ million ACH transactions annually).
      
      

Nacha’s rules are similar to PCI; however, the key differences are the process by which a merchant needs to identify accounts, account holders, and the disclosures required before processing. New rules have gone into effect the last couple years, and most vendors offer a variety of solutions depending on use cases.

The landscape of online payments continues to evolve, so legislation around securely collecting, using, and storing cardholder data does, too. And as the number of merchant requirements and sanctions rise, it’s important to evolve the tools and technology you use to stay compliant.