What is PCI compliance?
PCI stands for Payment Card Industry. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. We'll review your compliance based on regulations from the PCI Security Standards Council.
To know more about the standards, please check on website of PCI Security Standards Council https://www.pcisecuritystandards.org/.
What is PII compliance?
PII stands for Personally Identifiable Information. We'll review your compliance based on regulations from the European Union.
Why are PCI & PII compliance so important?
PCI compliance is the market standard and common best practice in data security for companies that handle personal information of customers, including credit card details and contact information. From the smallest online merchants, to large multinational corporations, PCI compliance is critical for all companies who deal with customer credit cards in order to protect their customers and themselves from the threat posed by online criminals.
We want to be sure that all our partners handle personal data and payment information securely and safely. We'll review your compliance with official regulations and industry standards.
What compliance and data security responsibilities do I have as a Booking.com Connectivity Partner?
As someone who deals with sensitive PII and PCI data (personal information and credit card data) in the connectivity environment, you are responsible for complying with industry data security standards. Your company must attest that it is complying with the Data Security Standard annually.
Note that in some cases you may be required to send us information that will be used to monitor compliance. This information will also help improve data security for all our partners.
Frequently asked questions
What is the required documents from connectivity partners to attest PCI compliance?
The Attestation of Compliance (AoC) is required. You can obtain one after filling in the applicable Self Assessment Questionnaire (SAQ) on the Security Portal (https://pci.booking.com). For partners that have more than 300k annual transactions, the Attestation of Compliance (AoC) should be obtained after an onsite assessment done by onsite external auditor or Qualified Security Assessor (QSA). In some cases an additional certificate from an Approved Scanning Vendor might be required.
To learn more about how you could obtain the Attestation of Compliance (AoC) please check the website of PCI Security Standards Council https://www.pcisecuritystandards.org/.
What is an Attestation of Compliance (Aoc)?
The Attestation of Compliance is the document used to indicate that the appropriate Report on Compliance or Self-assessment Questionnaire has been performed, and to attest to your organization’s compliance status with PCI DSS.
What is a Self-Assessment Questionnaire (SAQ)?
The Self-Assessment Questionnaire is designed as a self-validation tool for small merchants and service providers to assess security for cardholder data. The SAQ includes a series of yes-or-no questions for each applicable PCI Data Security Standard requirement.
There are two components to the Self-Assessment Questionnaire:
- A set of questions corresponding to the PCI Data Security Standard requirements designed for service providers and merchants.
- An Attestation of Compliance or certification that you are eligible to perform and have performed the appropriate Self-Assessment. An appropriate Attestation will be packaged with the Questionnaire that you select.
You can check the different types of SAQ on https://www.pcisecuritystandards.org/pci_security/completing_self_assessment
For partners that have more than 300k annual transactions, the Attestation of Compliance (AoC) should be obtained after an onsite assessment done by onsite external auditor or Qualified Security Assessor (QSA).
How can I obtain an Attestation of Compliance (Aoc)?
After an XML agreement is signed, connectivity partners will receive credentials to access the dedicated Security Portal (https://pci.booking.com). You can start with filling in the applicable online Self Assessment Questionnaire (SAQ) on the portal, which will come with an AoC after you complete the questionnaire. Alternatively you can fill in on offline Self Assessment Questionnaire (SAQ) where you can download from https://www.pcisecuritystandards.org/document_library
If our vendors are PCI compliant, aren't we?
No. Your company needs to prove PCI DSS compliance by completing the appropriate Self Assessment Questionnaire, securing a regular scan by an Approved Scanning Vendor and filing an Attestation of Compliance.
How can I attest PII compliance?
You can fill in the online PII Letter on Security Portal (https://pci.booking.com). On HomePage, you can select PII and start answering the questions on the PII Letter. PII Letter is only available online.
How can I access the Security Portal?
After you receive credentials from the connectivity support team, you can access the PCI portal via link (https://pci.booking.com).
What should I do if I don’t know my username / password on Security Portal?
Go to https://pci.booking.com, click on “Need help?” and select the relevant trouble you have signing in. Alternatively you can email to email@example.com for assistance. Make sure you provide the provider ID and name of your organization, as well as your registered email address on the email.
How can I reset my user account password on Security Portal?
Go to https://pci.booking.com, click on “Need help?” and select “I don't know my password”. Fill in your username and registered email address, you will then receive an email with password. If you do not receive any email 15 minutes after that, you can send an email to firstname.lastname@example.org for assistance.
How can I unlock my user account on Security Portal?
Send an email to email@example.com for assistance. Make sure you provide the provider ID and name of your organization, as well as your registered email address on the email.
How often do we need to attest PCI and PII compliance?
You need to attest both, PCI and PII compliance annually.
What should we do when we receive email reminders like “PII Partner Letter Expired” and “Booking.com PCI DSS SAQ Expire Notification”?
Please access Security Portal (https://pci.booking.com) and fill out a new SAQ or PII Letter as soon as possible before the expiration date of the previous AoC or PII Letter. You might risk losing access to the relevant data after the expiration date of the previous AoC or PII Letter.