Is Mews PCI Compliant?
Mews uses the infrastructure of Microsoft Azure, which is Level 1 PCI DSS Compliant - https://www.microsoft.com/en-us/TrustCenter/Compliance/PCI - and therefore, Mews is not in the scope of PCI compliance. In case of Mews Merchant, Mews doesn’t need to have the PCI compliant certification, as our payment gateway provider Stripe takes all the certification and compliance processes onto itself. More information about Stripe PCI compliance could be found here: https://stripe.com/docs/security/stripe & https://www.visa.com/splisting/searchGrsp.do?companyNameCriteria=stripe
What is PCI Compliance?
PCI DSS stands for Payment Card Industry Data Security Standard. It is not a legal requirement, but it is a framework agreed upon by the card schemes (Visa, MasterCard, Amex, Diners etc). Compliance with this standard (or rather, standards) is necessary if the company wants to accept Credit Cards.
How does card storage actually work?
The full set of specifications, can be found on the PCI Council’s website (https://www.pcisecuritystandards.org/), but the general idea is that any card data (Customer names, Card numbers, Expiry dates, CVV codes etc) should all be stored separately, away from any other database data (for example, hotel data). According to the new specifications, this should be a separate server, which would mean that to comply, the hotel should have 2 servers.
But we had one server in our last property and we could swipe cards on Opera?
This is no longer a PCI compliant solution. Oracle had an exception for a few years, but they’ve had to phase out these servers, as they are no longer PCI compliant.
Can I be fined for PCI breaches?
Individual clients usually don’t get fined for PCI breaches, as usually they have outsourced this, either to their Payment Processors (Adyen, SIX Payments, etc) or their PCI-compliant card storage “vaults” (databases where cards are stored, either in the cloud or on-premise). However, these costs will usually be passed down in terms of higher fees over time. Also, with GDPR, the on-premise solutions (which are, according to the new standards, seen as low-security) will fall under the data breaches, so our hotel clients can be fined for both a data breach and also a PCI breach.