Are Visitor Attractions Ready For Increased Credit Card Charges This Year?
As UK visitor attractions embrace advanced online ticket sales, payment card industry compliance is becoming more important than ever.
Personal data security is a hot topic, with breaches such as V-Tech, TalkTalk and Morrisons dominating news headlines and dramatically raising the focus on the issue.
At the same time, credit card providers are beginning to charge non PCI compliant visitor attractions higher fees and forcing them to carry their own charge backs on the basis that they are a greater risk.
Simon Kniveton, director at Vennersys, said: “Payment card industry compliance is probably the single biggest challenge that visitor attractions will face over the coming year.”
“Two new important pieces of legislation – the EU General Data Protection Regulation and the Directive on Payment Services – will soon demand very strict data breach notification processes in Europe, in addition to The Payment Card Industry Data Security Standard (PCI DSS), which is already in place.”
The PCI DSS is a worldwide standard that was set up to help businesses process card payments securely and reduce card fraud. It does this through tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data.
Compliance with data security standards can bring major benefits to businesses of all sizes, while failure to comply can have serious and long-term negative consequences:
- Compliance with the PCI DSS means that systems are secure, and customers can trust the business with their sensitive payment card information
- Compliance improves your reputation with banks, financial institutions and payment brands -- the partners you need in order to do business
- Compliance is an ongoing process, not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but in the future
If you are not compliant, it could be disastrous for your visitor attraction:
- Compromised data negatively affects consumers, merchants, and financial institutions
- Just one incident can severely damage the reputation of a business and its ability to conduct business effectively, far into the future
- Account data breaches can lead to catastrophic loss of sales, relationships and standing, and depressed share price for a public company
Possible negative consequences also include:
- Insurance claims
- Cancelled accounts
- Payment card issuer fines
- Government fines
Organisations are being urged to start preparing for the new requirements and many visitor attractions are turning to specialist ticketing, backoffice and Epos providers such as Vennersys to take ensure they have systems that protect their customers’ card data.
Kniveton explains: “Achieving auditable compliance is a time-consuming and expensive task for any attraction, which is why so many of our customers have turned to the Vennersys Venpos Cloud product to ensure they comply.”
“We’ve seen a particular uptake in small and medium businesses using our products and services. Alongside the historic houses & estates, museums & galleries, safari parks and aquariums that we work with, we’re also attracting more farm attractions, children’s play and activity centres”
Any business dealing with customer data is fighting a major battle against the cybercriminals and visitor attractions typically don’t have the dedicated IT security staff to deal with it.
In October 2015 The European Parliament adopted the revised Directive on Payment Services (PSD2). This new law enhances consumer protection, promotes innovation and improves the security of payment services.
PSD2 is the latest in a series of laws recently adopted by the EU in order to provide for modern, efficient and cheap payment services and to enhance protection for European consumers and businesses.
The new rules will improve consumer protection when they make payments, promote the development and use of innovative online and mobile payments and make European payment services safer.
The latest updates to the EU General Data Protection Regulation (GDPR) are set to be finalised by early 2016.
The aim of the GDPR is to create a unified data protection law across the EU member states and to implement a ‘regulation’ instead of a ‘directive’ which means that the same set of rules will be directly applicable to all EU member states without the need for state-level legislation.
Individuals have the right to complain and obtain redress if their data is misused anywhere within the EU. This means if your IT systems, networking and IT security do not adequately protect your data, then your attraction is at risk of individual claims as well as massive EU fines.