PCI compliance ensures short-term vacation rental businesses securely handle guest payments, protecting cardholder data and reducing fraud risks. Compliance with Payment Card Industry standards is essential for secure transactions and customer trust.
- What is PCI Compliance?
- Is OwnerRez PCI Compliant?
- Does my Short-term Vacation Rental Business have to be PCI Compliant?
- Attestation of Compliance for Self-Assessment Questionnaire A Documents
- How to complete the Attestation of Compliance for Self-Assessment Questionnaire A (AOC SAQ A)
- Third-Party Attestation of Compliance Documents
What is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is the global security standard designed for all entities that store, process, or transmit cardholder data and sensitive authentication data. This standard establishes a minimum level of protection for consumers and helps reduce fraud and data breaches throughout the entire payment ecosystem. PCI DSS applies to any organization, including small vacation rental businesses, that accepts or processes payment cards.
The PCI Security Standards Council (PCI SSC) is an international organization focused on continuously developing, enhancing, disseminating, and implementing security standards to protect account data.
Payment Card Industry Data Security Standard (PCI DSS) refers to the specific set of security requirements for protecting guest credit card data, while PCI compliance means adhering to those standards. Essentially, PCI compliance signifies that your short-term vacation rental business is following all the rules outlined in the PCI DSS to handle cardholder information securely. In simpler terms, PCI DSS is the standard, while PCI compliance reflects your business's data security processes that adhere to that standard.
Is OwnerRez PCI Compliant?
OwnerRez is not only fully Payment Card Industry (PCI) compliant and PCI certified, but our systems have undergone a specific design to align with PCI best practices. We encrypt and store credit card information in the same way as payment processors, using the same secure protocols. Rest assured that by utilizing OwnerRez to gather guest credit card information via your OwnerRez hosted website or widgets, you are fully covered and PCI compliant.
But what about OwnerRez partners? If they include guest credit card details through our OLB (online booking) endpoint, we require that our partners be PCI-compliant to integrate with OwnerRez as channel partners.
Just know that OwnerRez has got you covered when it comes to Payment Card Industry Data Security Standards (PCI DSS) and Data Backups. See OwnerRez's Privacy Policy for more security details.
Does my Short-term Vacation Rental Business have to be PCI Compliant?
Yes, all businesses that process payment cards must maintain PCI compliance, including short-term vacation rental companies. The level of self-assessment required for PCI compliance varies depending on how your business handles payments. For more information, read the PCI Security Standards Council (PCI SSC) Guide to Safe Payments.
Although your payment processor may request that you complete an Attestation of Compliance for the Self-Assessment Questionnaire (AOC SAQ), many small short-term vacation rental businesses may not need to undergo a full PCI compliance assessment or hire a PCI SSC Internal Security Assessor or Qualified Security Assessor to conduct it.
If your business operations meet the following criteria, which the majority of OwnerRez users do, you can complete the simpler Self-Assessment Questionnaire (AOC SAQ-A) yourself.
- You accept only card-not-present transactions, which include e-commerce and mail/telephone orders. All guest account data processing is fully outsourced to a PCI DSS-compliant third-party service provider (TPSP) and payment processor.
- You do not electronically store, process, or transmit any account data on your systems or premises. Instead, relying entirely on the TPSP(s) to manage all these functions.
- You verify that the TPSP(s) used are PCI DSS compliant for the services provided.
- Any account data that you retain is in paper form, such as printed reports or receipts, and these documents are not received electronically.
Attestation of Compliance for Self-Assessment Questionnaire A Documents
For the majority of small short-term vacation rental business owners, two documents are key to completing your Attestation of Compliance for Self-Assessment Questionnaire A.
It is essential to review both documents because the longer one offers a more detailed explanation of how to complete the shorter Attestation of Compliance (AOC). Unfortunately, the PDF versions are not fillable, so we recommend downloading the English DOCX version instead. The titles are confusing because they are similar and contain a lot of overlapping content, but let's review both.
- The Self-Assessment Questionnaire A and Attestation of Compliance is a 38-page document that provides detailed information about completing the Attestation of Compliance (AOC), which starts on page 9 of the PDF.
- Self-Assessment Questionnaire A and Attestation of Compliance PDF (non-enterable)
- Self-Assessment Questionnaire A and Attestation of Compliance English DOCX (enterable if you save first and then edit)
- The Attestation of Compliance for Self-Assessment Questionnaire A is the actual 12-page document to complete and submit.
- Attestation of Compliance for Self-Assessment Questionnaire A PDF (non-enterable)
- Attestation of Compliance for Self-Assessment Questionnaire A English DOCX (enterable if you save first and then edit)
How to complete the Attestation of Compliance for Self-Assessment Questionnaire A (AOC SAQ A)
Download and review the Attestation of Compliance for Self-Assessment Questionnaire A Documents.
Check out our AOC SAQ A examples for assistance in completing your own document.
Much of the Attestation of Compliance for Self-Assessment Questionnaire A (AOC SAQ A) is self-explanatory. We've included some helpful information and text below so that you can copy and paste it yourself into your AOC SAQ A document.
Section 1: Assessment Information
Part 1a details your business's contact information.
- Part 1b: Not Applicable
Part 2 is where you describe OwnerRez's role in your short-term vacation rental business.
- Part 2a: E-Commerce and No
- Part 2b text example:
| Channel | How Business Stores, Processes, and/or Transmits Account Data |
| OwnerRez | OwnerRez is PCI compliant and certified and securely encrypts and stores credit card information. |
| Any other third-party channels (i.e., QuickBooks, upsellers, etc.) that handle guest credit card information. | Brief description of how guest credit card information is handled. |
- Part 2c text example:
OwnerRez is a property management software designed for vacation rental businesses of all sizes. It enables short-term rental owners and property managers to securely accept card-not-present payments through the app.ownerrez.com endpoint. OwnerRez’s service (app.ownerrez.com) enables card-not-present payment transactions for vacation rental owners and property managers by connecting them to third-party payment processors (e.g., Stripe, Lynnbrook Group, etc.) to provide secure tokenized API service to process credit card transactions. The API code allows the cardholder details such as name, address, primary account number (PAN), card expiration date, and card validation value (CVV2, CVC2, CID) that are collected to be transmitted securely via HTTPS using TLS to OwnerRez. OwnerRez vaults cardholder data within a token vault database using strong encryption. For payment processing, cardholder data details (such as primary account number (PAN), card expiration date, and card validation value (CVV2, CVC2, CID)) are sent outbound to OwnerRez’s third-party payment processing partners via dedicated IPSec VPN tunnels or site-to-site VPN connections, which are contingent on the partner. Post authorization, only the status of the payment card transaction details and the token are stored in the databases for settlement processes. No Sensitive Authentication Data (SAD) is stored on any system components post-authorization.
- Indicate whether the environment includes segmentation to reduce the scope of the assessment. (Refer to “Segmentation” section of PCI DSS for guidance on segmentation.) Yes
- Part 2d: Not Applicable
- Part 2e: Not Applicable
- Part 2F:
- Store, process, or transmit account data on the merchant’s behalf (for example, payment gateways, payment processors, payment service providers (PSPs), and off-site storage) Yes
- Manage system components included in the scope of the merchant’s PCI DSS assessmentfor example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS, SaaS, and FaaS cloud providers. Yes
- Could impact the security of the merchant’s CDE (for example, vendors providing support via remote access, and/or bespoke software developers) No
| Name of service provider: | Description of service(s) provided: |
| OwnerRez | Provides secure card-not-present payments through the app.ownerrez.com endpoint. |
- Part 2g
For each response where Not Applicable is selected in this SAQ, complete Appendix C: Explanation of Requirements Noted as Not Applicable, located on page 34 of the Self-Assessment Questionnaire A and Attestation of Compliance.
- Requirement 9 only applies if you store paper media containing guest cardholder information. See page 14 of the Guide to Safe Payments for more information.
- If you are storing paper media containing guest cardholder information properly, select In Place.
- If you do not store paper media, you can select Not Applicable for those requirements.
| PCI DSS Requirement | In Place | Not Applicable |
| Requirement 2: | ✓ | |
| Requirement 3: | ✓ | |
| Requirement 6: | ✓ | |
| Requirement 8: | ✓ | |
| Requirement 9 (see note above): | ✓ | |
| Requirement 11: | ✓ | |
| Requirement 12: | ✓ |
- In Part 2h, check all to certify that you are eligible to complete this AOC SAQ A.
Section 2: Self-Assessment Questionaire A
- Enter the date of your Self-assessment completion date in the yyyy-mm-dd format.
- Were any requirements in the SAQ unable to be met due to a legal constraint? No
Section 3: Validation and Attestation Details
- In Part 3. PCI DSS Validation, select Compliant.
- In Part 3a, select all.
- In Part 3b
- Add your Merchant Executive Officer Name
- Add your Signature
- Add your Title
- Enter the date of your Attestation in the yyyy-mm-dd format.
- Part 3c: Not Applicable
- Part 3d: Not Applicable
Third-Party Attestation of Compliance Documents
In all likelihood, you will need to send copies of Attestation of Compliance documents for both OwnerRez, your payment processor, and any other third-party partners or entities that accept guest credit card information on your behalf, along with your submission of your own Attestation of Compliance for Self-Assessment Questionnaire A (AOC SAQ A).
How do I find the Attestation of Compliance Documents from my third-party partners or entities that accept guest credit card information on your behalf? Some third-party entities, such as Stripe, allow users to directly access and download their organization's Attestation of Compliance documents from their platform or account dashboard. In contrast, some third-party partners or entities must be contacted directly to obtain these documents. OwnerRez is one of those entities. If you need to obtain OwnerRez's Attestation of Compliance document, please contact us.