PCI and GDPR compliance - Made easy

It's no easy task to keep track and stay on top of changing legislation. It's complex, time-consuming and requires constant attention.

It's no easy task to keep track and stay on top of changing legislation. It's complex, time-consuming and requires constant attention. The growing concern comes from an unfamiliarity with how hotels are expected to protect themselves, their systems, and their customers’ data.

The Smarthotel Certification provides hotels with a solution to overcome their compliance challenges. To help you understand payment compliance, we have broken down the two most important regulations you need to know about.

PCI-DSS & GDPR  - What do they mean and how do I stay compliant?

GDPR: European Data Protection Rules

Let’s start with GDPR, the General Data Protection Regulation (GDPR). The European regulation affects businesses operating within the EU and all European customers outside of the EU. The regulation requires all businesses that deal with sensitive information - like guest data - to be transparent with their customers on how they manage that data. The regulation came into force in May 2018, with the goal of protecting and providing consumers with greater control over their personal data collection.

For hotels, that means reviewing your processes - how you store and manage guest information. The fines for non-compliance are hefty, for the most serious infringements, there is a fine of up to 4% of yearly revenue, or €20 million, whichever is larger.

Our technology was built with GDPR compliance in mind, equating to processes that are 100% guaranteed GDPR compliant. Ensuring guest data is handled with the utmost care in a secure environment.

Click here to learn more about GDPR.

PCI-DSS Compliance: The Information Security Standard

Payment Card Industry Data Security Standard (PCI-DSS) is a security standard that applies to every business dealing with credit cards. The goal is to protect card data, toughening up security measures around the way that information is handled and stored. If your property accepts virtual credit cards, according to PCI-DSS, it is not permitted to have PED terminals print out personally identifiable payment card data; printouts should be truncated or masked meaning that, when you receive a virtual credit card via fax, this is not a PCI compliant process. If you have access to a corporate service portal containing virtual credit card data, according to PCI-DSS it is mandated to ‘not store any payment card data in payment card terminals or other unprotected endpoint devices, such as PCs, laptops or smartphones’ meaning that this process too, is not PCI compliant.

Achieving compliance is difficult and maintaining it is harder. According to PCI-DSS, there are 12 requirements to PCI compliance, broken down into 95 pages of sub-requirements, testing procedures and guidance on how to become so.

Find the full document here.

The condensed version is that it's incredibly time-consuming and complicated to become PCI-DSS compliant without hiring a specialist. At conichi, we’ve done the work and can provide a 100% guarantee that all payments handled via our virtual payment terminal are PCI compliant. The card details are never stored or shown without encryption, eliminating the risk of non-compliance.


To conclude, every traveler using Smarthotel services will have a GDPR & PCI DSS compliant stay from beginning to end. Our use of tokens to take payments through our payment provider, SumUp, is certified compliant under PCI-DSS. The encrypted data ensure your guests’ information remains protected, providing a safeguard from crippling fines. And for peace of mind, we will constantly amend our processes to be in line with ever-changing regulations, ensuring compliance on a continual basis.

Anna Kelly

Sales Manager