One of the primary challenges for the industry with PCI compliance is that Hospitality sells services that are to be provided at a later date, whether that’s accommodation, events or travel. This future date can be days, weeks, months or even years in the future. Hospitality merchants, naturally, would like to collect payment data and keep it (we hope securely) until the agreed date, when either the service is provided and payment is made, or payment is taken in the case of late cancellation or 'no-shows'.
It is still common for merchants to collect payment card data including cardholder's name, PAN (primary account number), expiry date and even card verification code or value, and keep it until the agreed date when, for example, cancellation is not allowed anymore. This window of sensitive data retention can be rather large, and so, therefore, is the risk.
Q: Can a merchant store sensitive authentication data (CVV in this case) before authorization?
A: Yes but be careful.
WHY: PCI DSS does not say a lot about sensitive authentication data (SAD), card verification code or value, or in our scenario, storage before authorization.
Currently, PCI DSS v3.2.1 allows the storage of secure sensitive authentication data only for issuers (so not Hospitality Merchants) with a proper business justification. The standard then prohibits any storage of sensitive authentication data after authorization, so there are clear gaps and a lack of requirements applicable to sensitive authentication data stored before authorization if you're not an issuer. Of course, there's a PCI SSC FAQ (Article Number 1154 dated May 2014) seeking to address that:
"There are no specific rules in PCI DSS regarding how long CHD or SAD can be stored prior to authorization, but such data would need to be protected according to PCI DSS."
"Whether SAD is permitted to be stored prior to authorization is determined by the individual payment brands, including any related usage and protection requirements. Additionally, several payment brands have very specific rules that prohibit any storage of SAD and do not make any exceptions. To determine payment brand requirements, please contact the individual payment brands directly."
Q: Can I store sensitive authentication data before authorization unencrypted?
A: Technically, yes, until PCI DSS 4.0 kicks in.
WHY: The good news is that this requirement should be covered within PCI DSS v4.0 through the introduction of a new requirement to secure sensitive authentication data stored prior to authorization using strong cryptography. There will still be a caveat that 'whether SAD is permitted to be stored prior to authorization is determined by the individual payment brands', and merchants should seek advice from their acquirers in this respect.
So that's clear, Hospitality merchants should secure sensitive authentication data storage prior to authorization using strong cryptography, and should understand that there is an increased risk related to a prolonged period, and increased amount, of such data storage.
One simple solution which we tend to see in practice is to take full payment at the time of booking (then get rid of any payment card data after authorization) and perform a refund if there's a cancellation within a time frame allowed. This, however, may not be attractive for some cardholders, therefore, it might have an impact on the business by reducing the number of clients.
If we examine this scenario from a criminal attacker's perspective, surely the fact that hospitality merchant is likely to store not only cardholder data, but also sensitive authentication data (it doesn't matter if it's after or prior to authorization in this occasion), makes that merchant a much more attractive target. We think that if Hospitality merchants are able to understand the requirements and the implications of storage of sensitive authentication data prior to authorization they are already on the right path to finding the best solution to suit their business and address the risk.
Finally, any Hospitality merchants using card-present (or so-called ‘brick-and-mortar’) payment channel can benefit from our review of PCI DSS and retail sector requirements.
To ensure that you’re keeping cardholder data protected, get in touch with our cyber security experts. The PCI compliance journey may seem overwhelming, but we are more than ready to walk you through this journey guaranteeing that nothing is missed.