The hospitality sector is one of the most complex from a PCI DSS hotel compliance perspective. A hotel collects card data through multiple channels: website, OTAs, telephone, walk-in at reception, fax and even email. Each channel has a different risk profile and often front desk staff find themselves manually handling card numbers in situations for which no defined secure procedure exists. The result is an extended, difficult-to-control PCI perimeter with concrete operational risks.
Card data collection channels in a hotel: where the risks hide
Physical check-in with a certified POS is the most controlled channel. The risk concentrates on the others: telephone bookings where staff manually transcribe card numbers, emails with attachments containing authorisation forms, faxes with card data in cleartext (still common in some corporate market segments), and booking systems that save card data in the PMS (Property Management System) without adequate encryption.
The PMS is a critical risk point: many systems common in the hospitality sector historically stored card data in their database without meeting PCI requirements. Verifying the PMS configuration is often the first thing a QSA asks a hotel. If the PMS is not PCI certified or does not integrate with a tokenization system, the entire system and the servers it runs on enter the CDE, with the corresponding infrastructure security obligations.
Telephone bookings and guarantee cards: the MOTO problem
Bookings with a guarantee card collected by phone fall under the MOTO (Mail Order / Telephone Order) category. This channel is specifically considered high-risk by PCI DSS because staff have direct access to the card number during the call. Requirement 3.3 of the standard explicitly prohibits audio recording of sessions in which card data is transmitted, even though many hotels record calls for quality purposes without verifying the compliance impact.
The technical solution for the MOTO channel is using a secure IVR system or a payment page via link that allows the customer to enter card data independently without the operator seeing it. PCI Proxy EU allows this flow to be implemented: the operator initiates the payment session, the system sends a secure link to the customer who enters data directly into the vault, and the operator receives only the confirmation token. Staff never see the PAN.
How PCI Proxy EU solves the hospitality problem
PCI Proxy EU centralises the collection and storage of card data from all channels in a single certified vault. For the online channel, the hosted payment page collects data directly without it passing through the hotel's backend. For the telephone channel, the payment link system eliminates operator exposure. For card guarantees stored for no-shows, the token replaces the PAN in the PMS: the original PAN remains in the vault and can only be retrieved for actual charges.
The result is a CDE reduced to just the components that communicate with the vault APIs, instead of the entire hotel infrastructure. The PMS seeing only tokens is no longer in scope for the data storage component. Telephone bookings managed via secure link exit the critical MOTO scope. The perimeter to protect is reduced to a few API endpoints with documented access controls, manageable with normal IT resources without payment security specialisation.
Frequently asked questions
Must the hotel retain card data for no-show guarantees?
The hotel often has a legitimate business requirement to retain a guarantee card until check-out or for a predetermined period. PCI DSS allows PAN storage if protected by encryption or tokenization, with a documented retention policy. The correct solution is to store the token in the PMS and the PAN in the certified vault. Storing the PAN in cleartext or in an inadequately protected manner in the PMS for this purpose is not compliant.
Do bookings via OTAs like Booking.com transfer PCI responsibility?
It depends on the model. If the OTA collects payment and transfers only the net commission to the hotel (agency model), the hotel does not touch card data and PCI responsibility for that transaction lies with the OTA. If instead the OTA transmits card data to the hotel for direct billing, the hotel becomes in scope for that card. Many OTAs use virtual payment systems (virtual credit cards) for this purpose, which have different PCI implications to be handled case by case.
Does a PCI-certified PMS reduce the hotel's obligations?
Yes, if the PMS is PCI DSS certified as a service provider and the hotel correctly uses the certified features. The PMS provider's AOC covers their infrastructure, but not automatically the hotel systems integrating with the PMS. The hotel must verify that their implementation falls within the perimeter covered by the provider's certification, which generally requires direct dialogue with the PMS vendor and often involvement of a QSA.
Zero PCI risk from reception to billing: one vault for all channels. Discover PCI Proxy EU.