Campground Management Blog

Hi Folks,

Today’s topic is PCI Compliance and how it applies to a RV Park and/or campground .  From wikipedia, “PCI DSS stands for Payment Card Industry Data Security Standard.It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, cracking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and being audited and/or fined [1]. Merchants and payment card service providers must validate their compliance periodically. This validation gets conducted by auditors - i.e. persons who are the PCI DSS Qualified Security Assessors (QSAs). Although individuals receive QSA status reports on compliance can only be signed off by an individual QSA on behalf of a PCI council approved consultancy. Smaller companies, processing fewer than about 80,000 transactions a year, are allowed to perform a self-assessment questionnaire.”

We have recently gone through a compliance process for our Bookyoursite.com online booking system.

We hired an outside independent firm called Securris (www.securris.com) to conduct this on our behalf. Great company and very professional. After a security scan Securris gave us a list of changes to the system we had to make in order for them to give us their stamp of approval as being PCI Compliant. Pretty eye opening and fortunately for us we did not have to make too many changes. The process is not cheap. At any rate we are getting a few questions from our customer base as to whether or not we are PCI compliant or not. We are in the process of getting Campground Manager Software® certified and Bookyoursite.com will be certified in the next couple of weeks. However that does not mean that you are certified. Basically we have said ” we’ve done our part” to make sure you are complaint. Now you the owner/operator have to do your part.

PCI Compliancy involves the entire system, from software to the hardware set up at park level to Internet access on your network. It encompasses all facets of the information processing package and the financial transaction package. Firewalls, encryption, access controls are all taken into account. I started thinking about that and how it applies to the local computers at park level of some of our smaller accounts. Identity theft and cc fraud is a real problem. The credit card companies had to address it. I am thinking of it in terms of the credit card companies creating a new industry that has to go around and provide compliancy tests for each business location. Is that right? Is it affordable for our customer base? For the most part I would say no it is beyond their scope. So hopefully they will fall under the 80,000 transaction mark and can do the self assessment. I also started thinking about it in terms of us expanding our SAAS model (Software as a Service). I really believe that with the security controls that will have to be in place in the near future in order to take credit cards, especially online, we will be putting more and more parks on our server and then running  from there. All a park will need is a computer with a high speed internet connection to run the system. We handle all the security and upgrades and backups. Our servers are behind the appropriate firewall and encrypted security features. We store them at a top of the line colocation facility.

For anyone who decides to go on our SAAS product we will meet the PCI compliance test for that portion of the IT package. This will go a long way towards helping the parks become compliant and letting them keep their ability to process credit cards. Your comments are welcome.

Peter