News

WebHotelier compliant for 6th year in a row, adopts PCI DSS 3.2

Apostolos Tsakpinis

2 min read
WebHotelier compliant for 6th year in a row, adopts PCI DSS 3.2

We are proud to announce that WebHotelier has successfully completed the assessment against the newly released PCI Data Security Standard (PCI DSS) version 3.2 (revision 1.1), 7 months in advance of the mandatory February 1, 2018, deadline.

We at WebHotelier are committed to this international information security and compliance program, and adopting the new standard as early as possible once again demonstrates our commitment to information security as our highest priority. Our customers (and customers of our customers) can operate confidently as they store and process credit card information (and any other sensitive data) in WebHotelier knowing that our products and services are tested against the latest and most mature set of PCI compliance requirements.

Our Certificate of Compliance (COC), issued by Trustwave, is available for download from the following URL:

http://files.webhotelier.net/pci/2017/webhotelier_compliance_certificate_2017-06-30.pdf

The WebHotelier Attestation of Compliance (AOC), Self-Assessment Questionnaire (SAQ), and Approved Scanning Vendor report (ASV), are available upon request.

Privacy as important as security

Too often we think of privacy and security as divergent forces -- pulling our focus in different directions.

Many vendors (even some OTAs) get away from certifying their services by separating their payment-related systems and only adding those in PCI scope. The rest of their customer information often have less protection and are not tested against the strict PCI DSS requirements.

WebHotelier makes no such distinction.

We at WebHotelier have chosen to add our entire set of products and services in PCI scope because we don't believe that only credit card information is to be protected. In hospitality, customer privacy and confidentiality is paramount.

All customer information is segregated and protected under the same umbrella of security features we have built for our systems.

What WebHotelier's certification means to you

WebHotelier being a PCI DSS “Compliant” Service Provider means that customers who use WebHotelier products and services to store, process or transmit cardholder data can rely on our technology infrastructure as they manage their own PCI DSS compliance certification.

WebHotelier's PCI DSS compliance further demonstrates the commitment to information security at every level. As the PCI DSS standard is validated by an external independent third party, it confirms that our security management program is comprehensive and follows leading industry practices. This validation provides our customers assurance with regards to our security practices.

However, all entities using our system (properties, 3rd party vendors, and partners) must manage their own PCI DSS compliance certification. For the portion of the PCI cardholder environment deployed in WebHotelier, your QSA can rely on our Attestation of Compliance (AOC), but you will still be required to satisfy all other PCI DSS requirements.

What’s new in PCI DSS 3.2?

The PCI Standards Council published PCI DSS 3.2 in April 2016 as the most updated set of requirements available. PCI DSS version 3.2 has revised and clarified the online credit card transaction requirements around encryption, access control, change management, application security, and risk management programs. Specific changes, per the PCI Security Standards Council’s Chief Technology Officer Troy Leach, include:

  • A change management process is now required as part of implementing a continuous monitoring environment (versus a yearly assessment).
  • Service providers now are required to detect and report on failures of critical security control systems.
  • The penetration testing requirement was increased from yearly to once every six months.
  • Multi-factor authentication is a requirement for personnel with non-console administrative access to systems handling card data.
  • Service providers are now required to perform quarterly reviews to confirm that personnel are following security policies and operational procedures.