PCI DSS is the Payment Card Industry Data Security Standard that every hotel handling cardholder data must follow; the level of obligation depends on the merchant's transaction volume and the way card data flows through hotel systems.
The Payment Card Industry Data Security Standard, known as PCI DSS, is a global framework maintained by the PCI Security Standards Council and enforced by the major card networks. It defines a set of technical and operational requirements that any merchant storing, processing, or transmitting cardholder data must meet. For hotels, that scope is unusually broad: front desk terminals, the property management system, the booking engine, the channel manager, third-party calls for pre-authorisations, and even paper registration cards can all bring systems into PCI scope. Non-compliance can result in fines from acquiring banks, card scheme penalties, and in serious cases the loss of card-acceptance privileges.
Hotels typically reduce scope by routing card capture through a tokenisation provider, so cardholder data never touches their own systems. The Self-Assessment Questionnaire that applies depends on this architecture. SAQ A covers fully outsourced e-commerce flows where the hotel never sees a card; SAQ A-EP covers partially outsourced e-commerce where the hotel's website affects the payment page; SAQ D is the broadest and applies whenever the hotel handles cardholder data directly, such as keying it into a PMS or storing it in folios. Strong data security in hospitality design pushes properties towards SAQ A wherever possible.
Card data should never be entered into a WhatsApp chat, an email, or any other messaging channel. WhatsApp messages are not in PCI scope by design, and forwarding card numbers through them places the receiving inbox and any connected systems into full SAQ D scope, often unintentionally. The correct pattern is to send the guest a tokenised payment link from the PSP, which keeps the conversation channel out of scope while still allowing remote payments. This pairs naturally with GDPR-compliant messaging practices.
Viqal is engineered to stay outside PCI scope. The platform never asks for, stores, or transmits raw card data; instead, when payment is required during a guest journey, the AI Operator hands off to the hotel's chosen PSP via a hosted payment link. This keeps the messaging layer free of cardholder data and supports the hotel's preferred SAQ scope. Combined with Viqal's data processing agreement, properties can confidently extend automation across pre-arrival, on-stay, and post-stay moments without expanding their PCI obligations.
It depends on how card data flows. Hotels that fully outsource card capture to a hosted page typically fall under SAQ A. Those whose website influences the payment page may need SAQ A-EP, and any property that keys cards into its own PMS or stores them on file usually falls under the broader SAQ D. The acquiring bank confirms the applicable SAQ based on the merchant profile.
Technically a guest can type a card number into any channel, but the hotel must not request it that way and must not store or process it from the chat. The compliant approach is to send a payment link from the hotel's PSP, allowing the guest to enter card data on a secure hosted page. This keeps the WhatsApp channel out of PCI scope.
No. PCI DSS governs the security of cardholder data, while GDPR governs the lawful processing of personal data of EU residents. The two frameworks overlap because cardholder data is also personal data, but they have different enforcement bodies, audit regimes, and sanctions. Hotels typically need to comply with both.
PCI DSS is enforced contractually by the hotel's acquiring bank and the card schemes (Visa, Mastercard, American Express, Discover, JCB). The PCI Security Standards Council writes the standard, but compliance evidence is collected by the acquirer through SAQs or, for higher-volume merchants, by a Qualified Security Assessor.
Tokenisation greatly reduces PCI scope but does not eliminate it. The hotel still needs to complete the appropriate SAQ, maintain network security, train staff, and confirm that no cardholder data leaks into emails, voice recordings, or messaging tools. Tokenisation is a powerful control, not a substitute for the full standard.
No. Viqal does not store, process, or transmit cardholder data. When a payment is needed, Viqal triggers a payment link from the hotel's chosen payment service provider, keeping the messaging layer entirely out of PCI scope.
.avif){kind=spacer}
