Long-Term Storage of Guest Credit Cards

Follow

In order to accommodate various property payment workflows in the past, the Cloudbeds myfrontdesk system was equipped with a feature called "Long Term Credit Card Storage".  This feature allowed properties to access and view guest credit card details for an extended period of time after guest check-out so that they could process payments at a later date.

Upon reviewing this behavior with various security and compliance advisors, Cloudbeds has determined that this feature is not PCI compliant, and therefore will no longer be available beginning April 30, 2020.

This articles discusses the details of this change, including:

  • Why it's important to deprecate this functionality
  • What steps you should take if you depended on Long-Term storage of credit cards
  • How Cloudbeds intends to notify users and roll out this change
Why we are making this change

As we all know, information and data security is constantly evolving as systems and compliance requirements change.  This is especially true in the Hospitality Industry, as we have seen numerous examples of data breaches across multiple companies and systems recently.

As Cloudbeds continues to grow, we are constantly evaluating our security practices to ensure that the information we store is safe.  As a result of this evaluation, Cloudbeds is taking several steps to strengthen our security practices.

Upon evaluating Cloudbeds' PCI (Payment Card Industry) compliance, we have identified that the practice of storing the full guest credit card details more than 14-days post-checkout is not PCI compliant.  Cloudbeds is committed to the security of your guest data, and therefore we will be deprecating this functionality on April 30, 2020.

Steps you should take

For the vast majority of properties, there is no need to access the full guest credit card details more than 14 days post-checkout.  This is because their payment workflows charge guests prior to, during, or soon after checkout.  In these cases, there is nothing that you need to do.

However, if your payment workflow currently requires you to charge guest cards more than 14 days post-checkout, please review the options below.

 

Connect to a preferred Payment Gateway

With this option, there is no need to ever access the full card details of your guests, as the card is stored directly by the Payement Gateway.  The guest  can be charged directly from within the myfrontdesk system (How to Process Payments Through a Payment Gateway)

The payment gateways that support this functionality are

Note: Even with this option, you must charge your guest less than 14 days post-checkout.  PCI (Payment Card Industry) requirements do not allow you to keep or charge guests more than 14 days after checking out.

Please ensure that you review your internal processes and account for this change prior to April 30, 2020.

Keep your existing payment provider, and charge guests within 14 days post-checkout

If connecting to a payment gateway listed above is not an option for your property, you will need to adjust your payment workflow to ensure that you charge guests no later than 14 days post-checkout.  This may change how you handle customer payments, accounting practices, government and tax reporting obligations, etc.

Please ensure that you review your internal processes and account for this change prior to April 30, 2020.

Notification Plan

Since this change may impact how your property charges guests, we are implementing a multi-step notification process so that you have sufficient time to make any adjustments necessary.

  • First Email Announcement: March 9, 2020
  • In-App Notification:  Week of March 23, 2020
  • Second Email Announcement: March 30, 2020
  • Final Email Announcement: April 13, 2020
Have more questions? Contact Support

Comments

Powered by Zendesk