Do I need to comply with PCI DSS and PSD2?

If your business, hotel, OTA, restaurant, travel agency, etc., processes, stores, or transmits critical payment card data, then you need to comply with PCI DSS / PSD2, regardless of the size of your company. If you do not process or store card data, but you use third-party payment gateways, then it is also very likely that you need to comply with this standard.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard, which is the worldwide data protection standard for industries that handle credit or debit card payments. Its primary objective is to ensure that all companies have a minimum level of basic security in place, in order to protect cardholder data.

The following data is considered as critical to protect: PAN, cardholder’s name, expiration date, service code, data on the magnetic stripe or its equivalent on a chip, CAV2, CVC2, CVV2, CID, personal identification number (PIN) and PIN blocks.

What is PSD2?

The PCI DSS regulations were established in 2006, and although they have now reached version 4 (first quarter of 2022), there was a need to adapt them to new security systems. Because of this, the EU’s Payment Services Directive 2 entered into force in 2019, and it applies to any business that may have interactions with European customers.

PSD2 includes improved guidelines for online payments, and for managing confidential data to reduce the risk of theft, fraud, and security breaches. The main change is the requirement on strong customer authentication (SCA) for online transactions. With SCA, customers need to provide a second authentication factor before they can make a payment. This can be a PIN code or a verification code sent by SMS.

What does PSD2 mean for your hotel business?

It essentially means that any transaction your hotel initiates when a guest is not present is not in compliance with the PSD2 requirements. Guests must be able to complete a two‑factor verification step for each payment, such as when they make a reservation or when they check out. This means that hotels may need to modify or adapt their payment procedures. 

Requirements and Solutions

The PCI DSS standard includes more than 290 controls related to physical, technological, and administrative security. These are organized into 6 goals or objectives, which are in turn subdivided to form 12 requirements, as seen below:

Levels

There are also various levels for these requirements, which are based upon a company’s number of annual transactions. These are grouped into four levels:

• Level 1: more than 6 million annual transactions
• Level 2: between 1 million and 6 million annual transactions
• Level 3: between 20,000 and 1 million annual transactions
• Level 4: fewer than 20,000 annual transactions

For Levels 2, 3, and 4, there is a self-assessment tool: Self-Assessment Questionnaire (SAQ). This is used to evaluate a company’s compliance with the requirements from the PCI DSS standard. However, for Level 1, in addition to completing the SAQ, a "Formal Compliance Audit" is required. This provides more exhaustive evidence for each requirement. GMV is an Approved Scanning Vendor for performing these official evaluations, so feel free to contact us if you need more information.

Author: Joan Antoni Malonda