In response to the growing threat of improper use of credit cards the payment card industry formed the PCI Security Standards Council. The council has developed a set of standards (PCI DSS) for anyone who stores, processes or transmits credit card data. The primary goal of the council and the purpose of the DSS is to protect card holder’s data.
There are two elements of PCI that may relate to RMS customers where they accept credit cards as a form of payment.
- The Payment Card Industry Data Security Standard (PCI DSS)
This standard stipulates the conditions under which credit card data can be processed,stored and transmitted in a way that complies with the agreement between the card issuers, the bank, and the merchant.
The PCI DSS details all aspects of business practice including, policies, security, devices such as credit card processing terminals and the environment in which they operate. Quite apart from any business information software, such as RMS, the merchant is obliged to comply with the standard. An example of not complying with the standard might include the practice of recording credit card details in a book that is left in an opened draw.
- The Payment Application Data Security Standard (PA DSS)
This is a standard for a software or hardware payment application that stores, processes or transmits credit card data. A property management system such as RMS is deemed to be a payment application if it stores processes or transmits credit card data.
Instances of RMS that store credit card details are not PA DSS compliant. However, RMS can be configured and supplied in such a way that it is impossible to store credit cards in any part of the system. Neither can it process or transmit card data. Furthermore, such examples of RMS cannot be re configured by the user to allow for the storage of credit cards post installation.
By definition of the PA DSS, any application that does not store, process or transmit credit card data is out of the scope of PA DSS and is not required to comply. Customers who are seeking to establish a business environment that complies with the PCI DSS should consider using a version of RMS which has had the ability to store, process and transmit credit cards disabled. Using the nonpayment application version of RMS forms a significant part of operating a PCI DSS compliant business environment.