Back to Resources
Industry Guide

PCI DSS Compliancefor Hospitality

Secure every guest payment touchpoint, from booking to checkout. This guide covers pre-authorisation flows, property management systems, restaurant POS, guest Wi-Fi isolation, and card-on-file best practices for hotels, resorts, and restaurants.

Part of our PCI DSS requirements breakdown →

Overview

The hospitality industry presents one of the most complex PCI DSS environments of any sector. A single hotel may have card data flowing through online booking engines, the property management system (PMS), front-desk terminals, restaurant and bar POS systems, spa and leisure billing, minibar charge systems, and in-room entertainment. Each of these represents a separate card data touchpoint that must be secured, monitored, and included in PCI scope.

What makes hospitality particularly challenging is the concept of pre-authorisation and card-on-file. Unlike retail where a single authorisation-capture cycle occurs at the point of sale, hotels authorise a card at check-in and then post additional charges over a multi-day stay before performing a final capture at checkout. This extended lifecycle means cardholder data must be stored securely for the duration of the stay, with all the PCI DSS Requirement 3 controls for stored data fully in effect.

Franchise and management company structures add another layer of complexity. A hotel brand may mandate certain technology platforms, while the individual property owner is responsible for local compliance. Understanding who is responsible for which PCI controls across the brand, management company, franchisee, and technology vendor chain is essential to avoiding compliance gaps.

Key Challenges for Hospitality

1. Pre-Authorisation and Extended Card Storage

When a guest checks in, the hotel pre-authorises their card for the estimated stay cost plus incidentals. The PAN, and often the full magnetic stripe data from the initial swipe, must be available for subsequent charges (room service, minibar, restaurant). PCI DSS explicitly prohibits storing sensitive authentication data (full track, CVV, PIN) after authorisation (Requirement 3.3), but the PAN and expiration date may be stored with appropriate protections. Hotels must use tokenisation to replace the actual PAN in the PMS with a token that can be used for subsequent charges without exposing the real card number to every system that posts charges.

2. Property Management System (PMS) Security

The PMS is the operational heart of a hotel and a prime target for attackers. It manages reservations, guest profiles, billing, and room assignments, and it frequently integrates with multiple third-party systems: booking engines, channel managers, payment gateways, loyalty programmes, and revenue management tools. Each integration is a potential attack vector. PCI DSS Requirements 2 (secure configurations), 6 (secure development), and 8 (access management) all apply to the PMS and its interfaces. Many PMS platforms are legacy systems with limited security controls, making vendor selection and contractual security requirements critical.

3. Guest Wi-Fi Network Isolation

Hotels provide Wi-Fi to hundreds or thousands of guests simultaneously. This guest network is essentially a hostile, untrusted network operating within the physical premises of the hotel. If guest Wi-Fi is not completely isolated from the payment network, an attacker with a room booking could potentially reach POS terminals, the PMS, or payment gateway connections. PCI DSS Requirement 1.3 mandates that the CDE must not be directly accessible from untrusted networks. Hotels need physically or logically separate network infrastructure for guest Wi-Fi, back-of-house operations, and payment processing, with firewall rules enforcing strict boundaries.

4. Restaurant and Bar POS Environments

Hotel restaurants, bars, and leisure facilities each operate their own POS systems, which must integrate with the PMS to allow guests to charge to their room. This integration creates a direct data flow between the restaurant POS and the PMS, expanding PCI scope to include both systems and the network path between them. Standalone restaurants face the additional challenge of tip adjustment: a card is authorised for the meal amount, then a different amount (including tip) is captured later. The systems handling tip adjustment must protect the card data during this interval. Using P2PE terminals for restaurant payments and token-based room-charge integration can significantly reduce scope.

5. Online Booking and Channel Management

Hotel bookings flow through multiple channels: the hotel's own website, OTAs (Booking.com, Expedia), GDS systems, and direct phone/email reservations. Each channel transmits card data differently and with varying levels of security. Some OTAs send virtual card numbers; others transmit the guest's actual PAN. The hotel's booking engine on its own website must comply with PCI DSS e-commerce requirements (Requirements 6.4.3 and 11.6.1). Channel managers that aggregate bookings from multiple sources often receive and store card data, placing them firmly in PCI scope. Every booking channel must be mapped, assessed, and secured.

6. Seasonal Staffing and High Turnover

Hospitality shares the retail challenge of high staff turnover, with the added complication of seasonal peaks. A resort may triple its staff for the summer season, with temporary workers handling check-in, restaurant service, and event bookings, all of which involve card data. PCI DSS Requirement 12.6 mandates security training for all personnel. Hotels need an efficient onboarding process that includes PCI awareness training on day one, covering card handling procedures, PED inspection, and social engineering awareness. Training must be practical and role-specific: a front-desk agent needs different guidance than a housekeeping supervisor.

Pre-Authorisation and Card-on-File Best Practices

Managing the card data lifecycle from booking through checkout is one of the most critical PCI challenges for hospitality. Follow these best practices:

Tokenise at First Touch

When a card is first presented (at check-in or during online booking), immediately tokenise the PAN through your payment gateway. Store only the token in your PMS. All subsequent charges during the stay should use the token, ensuring the real PAN never resides in your property systems.

Eliminate Paper Authorisation Forms

Many hotels still use paper credit card authorisation forms for group bookings, wedding blocks, and corporate accounts. These forms contain full PAN, expiration date, and sometimes CVV. Migrate to digital pre-authorisation workflows that tokenise card data at the point of entry and do not produce paper records containing CHD.

Enforce Retention Limits

Define and enforce maximum card data retention periods aligned with your business needs. PCI DSS Requirement 3.1 requires a documented retention policy. For most hotels, card tokens should be purged within 30 days of checkout unless required for a documented dispute resolution process. Automate deletion to prevent human error.

Secure the Authorisation-to-Capture Gap

The period between pre-authorisation and final capture can span days. During this time, the authorisation record in your PMS must be protected with the same rigour as stored card data. Access to pending authorisation records must be restricted and logged. Any system or interface that can view or modify these records is in PCI scope.

Required Controls for Hospitality

Req 1: Network Segmentation

Three-zone minimum: guest Wi-Fi, back-of-house operations, and payment processing. Firewalled with explicit deny-all between zones.

Req 3: Stored Data Protection

Tokenisation of all stored PANs. No full track data, CVV, or PIN stored after authorisation. Automated retention enforcement.

Req 8: Authentication

Unique credentials for every staff member on POS and PMS systems. No shared logins. MFA for remote PMS access and administrative functions.

Req 9: Physical Security

PED inspection programme at all payment points. Controlled access to server rooms. CCTV coverage of front desk, restaurant POS, and back offices.

Req 11: Security Testing

Quarterly wireless scanning to detect rogue access points. Vulnerability scanning of all in-scope systems. Annual penetration testing.

Req 12: Policies and Training

Role-specific security training for front desk, restaurant, spa, and IT staff. Documented procedures for card handling, PED inspection, and incident reporting.

Common Pitfalls

  • !Storing full PANs in the PMS "guest profile" for returning guests without tokenisation
  • !Using a flat network where guest Wi-Fi, POS terminals, and the PMS are all on the same VLAN
  • !Accepting credit card details via email for group bookings and corporate reservations
  • !Sharing POS login credentials among restaurant staff across shifts for convenience
  • !Not including third-party PMS vendors and channel managers in your PCI scope assessment
  • !Failing to inspect POS terminals at hotel restaurants and bars, which are often in less supervised locations
  • !Using fax machines to transmit credit card authorisation forms between properties
  • !Not purging card data from cancelled or no-show reservations within the defined retention period

Implementation Checklist

  1. 1Map every card data touchpoint: booking engine, check-in, PMS, restaurant POS, bar POS, spa, minibar, room service, in-room entertainment, and checkout
  2. 2Implement tokenisation at the payment gateway level so the PMS and all downstream systems only handle tokens, never raw PANs
  3. 3Deploy three-zone network segmentation: guest, operational, and payment, with documented firewall rules between each zone
  4. 4Replace paper credit card authorisation forms with digital pre-authorisation workflows that tokenise at the point of entry
  5. 5Configure unique login credentials for every staff member on POS and PMS systems, eliminating all shared accounts
  6. 6Establish a PED inspection programme with daily documented checks at reception, restaurant, bar, and any other payment terminal location
  7. 7Implement P2PE-validated terminals for restaurant and bar payments to minimise POS scope
  8. 8Conduct quarterly wireless scanning to detect rogue access points near payment processing areas
  9. 9Create role-specific PCI training modules: front desk, restaurant service, housekeeping, events, IT, and management
  10. 10Review all PMS vendor and channel manager contracts for PCI DSS compliance obligations and obtain current AOCs
  11. 11Define and automate card data retention policies with automatic purging post-checkout
  12. 12Test the incident response plan with a hospitality-specific scenario: compromised POS terminal at the hotel restaurant

Quick Facts

Industry
Hotels, Restaurants, Resorts
Unique Challenge
Pre-auth / card-on-file lifecycle
Key System
Property Management System (PMS)
Scope Reduction
Tokenisation, P2PE, network segmentation

Key Statistics

21%

of all payment card breaches occur in the hospitality sector

8+

separate card data touchpoints in a typical full-service hotel

$2.94M

average cost of a hospitality data breach (2025)

73%

of hotel breaches involve PMS or POS system compromise

Related Guides

Get Started with GRCTrack

Built for multi-location hospitality. Manage PCI compliance across every property with centralised assessments, evidence collection, and real-time scope tracking.

Start Free TrialBrowse Resources