Credit Card Compliance: Marriott Credit Card Breach Lessons

Credit Card Compliance: Marriott Credit Card Breach Lessons

Last updated March 2023

Beginning as early as 2014, Starwood hotels, now owned by Marriott, experienced a massive credit card data breach reportedly at the hands of Chinese hackers. The data breach may have exposed the personal information of as many as 500 million guests of the hotel chain.

Impact of a Credit Card Breach

Once the news of this breach became public, the far-reaching costs began showing almost immediately.

According to Forbes, “The company now faces a class-action suit and shares have subsequently fallen 5.6%. On top of this, Marriott says for about 327 million victims, compromised data may include names, addresses and passport numbers — prompting Senator Chuck Schumer to demand that it "foot the bill" for new passports.”

Global Average Cost of a Data Breach in 2022

Not all costs of a security breach translate directly to a dollar amount. NBC News illustrates some of the other struggles companies face after their systems have been invaded.

“Aside from expensive technical investigations and regulatory filings, a breach also includes hidden costs such as lost business, negative impact on reputation, and employee time spent on recovery, according to a new report by the Ponemon Institute.”

The reputation hit is being felt in this example. Marriott didn’t acquire Starwood until 2016, in the midst of the breach. But in the eyes of the public, this fact doesn’t excuse Marriott from fault.

“In news reports, this is not Starwood’s data breach, but Marriott International’s,” says an article on the Internet Society. “Like any data breach, this incident will harm trust between the company and its customers.”

The same article explains why this happening on Starwood’s watch doesn’t matter.

“When Marriott International acquired Starwood and its data, they also acquired the risk associated with storing and handling that data. Digital security is a crucial part of a corporation’s bottom line, and security incidents can quickly become disastrous for a business.”

“Organizations can take steps that will significantly reduce the overall cost of a data breach. Things like having an incident response team, having the right governance process in place, having enabling technologies. All of these basic blocking and tracking activities makes a difference in terms of cost.”


What Should Merchants Know About Credit Card Security Standards

At Marriott’s size, the company will likely bounce back from this breach. Smaller businesses may not be so lucky. That’s why Payment Card Industry Data Security Standards (PCI DSS) exist.

These credit card compliance rules are intended to protect the sensitive card data that is used in processing a payment. Depending upon a company’s size, it must adhere to one of four PCI compliance levels.

The more transactions a company processes each year, the more stringent its credit card compliance burden becomes.

However, if a company is subject to a credit card breach, it may not be able to withstand the reputational losses companies like Marriott have experienced. This is especially true if the business in question relies on other businesses as clients. No management team will feel comfortable entering into a contract with a company that isn’t adequately protecting sensitive credit card data.

Visa pci compliance requirements

Information sourced from Visa

PCI Compliance Level

Level 1:

Merchants processing over 6 million Visa transactions annually across all channels.

PCI Requirements

Every year:

  • File a Report on Compliance {ROC) by a Qualified Security Assessor (QSA) or internal auditor if signed by an officer of the company.

  • Submit an Attestation of Compliance (AOC) form.

Every quarter:

  • Conduct a quarterly network scan by an Approved Scan Vendor (ASV).

PCI Compliance Level

Level 2:

Merchants processing 1 to 6 million Visa transactions annually across all channels.

PCI Requirements

Every year:

  • Complete a Self-Assessment Questionnaire (SAQ).

  • Submit an Attestation of Compliance (AOC) form.

Every quarter:

  • Conduct a quarterly network scan by an Approved Scan Vendor (ASV).

PCI Compliance Level

Level 3:

Merchants processing 20,000 to 1 million Visa ecommerce transactions annually.

PCI Requirements

Every year:

  • Complete a Self-Assessment Questionnaire (SAQ).

  • Submit an Attestation of Compliance (AOC) form.

Every quarter:

  • Conduct a quarterly network scan by an Approved Scan Vendor (ASV).

PCI Compliance Level

Level 4:

Merchants processing less than 20,000 Visa ecommerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.

PCI Requirements

Every year:

  • Complete a Self-Assessment Questionnaire (SAQ).

  • Submit an Attestation of Compliance (AOC) form.

Every quarter:

  • Conduct a quarterly network scan by an Approved Scan Vendor (ASV).

Though scans are listed for every level of compliance, they are not required depending upon the Self Assessment Questionnaire (SAQ) each business must complete.

According to, regular scans are required for SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider.

There are two instances where merchants are eligible for the simple SAQ A:

  • "Merchant website is entirely hosted and managed by a PCI-compliant, third-party payment processor, OR"

  • "Merchant website provides an iframe or URL that redirects a consumer to a PCI-compliant, third-party payment processor, where no elements of the page originate from the merchant website."

How to Manage Your Sensitive Credit Card Data

Along with the PCI requirements, there are more actions companies can take to protect cardholder data (minimizing the risks involved with accepting credit card payments).


Ensure business policies are sufficient to keep data safe and are in line with PCI data security standards. The policies and procedures should be kept as part of the company’s larger compliance management system.

They can be updated after issues by conducting a root cause analysis or can be audited and updated in larger segments as needed.

Many merchant service providers also host a PCI certification program for their merchants with national vendors like Trustwave and Security Metrics. These programs provide all the policy and procedure templates your business needs to pass credit card compliance standards.


Of course, setting PCI data protection policies within your company is necessary. But policies won’t be helpful if they aren’t being followed. Providing initial education and ongoing training opportunities to staff helps you to prepare your staff for properly handling sensitive cardholder data, including:

  • Cardholder names
  • Credit card numbers
  • CVV information


Merchants need to understand the burden their core account management software holds in regard to credit card data security. Account management software should be PCI-PA (payment application) compliant. If they are, credit card numbers can pass through their system to the payment processor. If their software isn’t compliant, then the merchants that use it aren’t compliant either.

As a business owner using third-party vendors for services, consider what your clients might ask about your credit card payment compliance.

Ask third-party payment processors what happens to credit card numbers once service is established. Credit card tokenization is the act of creating a placeholder (token) to represent each customer's credit card number. Merchants who only have access to a token will lose all recurring payment schedules created through that processor if they wish to leave.

If you want the freedom to switch merchant service providers without disrupting your day-to-day business, find payment processing software that maintains both credit card numbers and tokens.

How PDCflow Protects Its Integration Partners and Software Clients

PDCflow is serious about payment security. We offer the highest level of PCI compliance, which results in minimal hands-on work for PDCflow integration partners and direct software clients. Here are the ways we take on most of the credit card compliance burden, making businesses and consumer credit card data safe and secure.


PDCflow supports your credit card compliance by using a patented technology that protects both our clients and our software integration partners. Secure Entry Overlay technology eliminates merchant and software partner need for contact, transmission or processing of a credit card number.

PDCflow’s protected process provides a small data entry window that is directly connected to our PCI certified environment. This window is where a credit card number is entered. The ability to input card numbers directly into our PCI certified environment reduces our client’s PCI scope.

Our software integration partners gain the most protection. With Secure Entry Overlay, their software is completely eliminated from the scope of PCI compliance because it never touches a credit card number.


The highest level of PCI compliance is a costly and labor-intensive investment. PDCflow has taken on this burden so that taking credit card payments becomes safer for our customers. We use a third-party audit of our facilities, programming, and infrastructure performed by a professional certification auditor.

By maintaining Level 1 PCI DSS compliance, we ensure an extra level of protection for our clients and their consumers.


Our Flow technology keeps your business and consumers safe no matter where your staff is processing credit card payments. Your employees never see, hear, or touch cardholder data while remaining on the phone to take orders or payments.
PCI compliance is a dense subject with many angles to consider. Start with a quick overview of PCI compliance basics, check out our PCI compliance guide.
Learn more about how PDCflow Payments and Flow Technology can help your business collect payments through email and text while keeping your payment data secure. Set up a call with a PDCflow Payments experts today.

Schedule a Call:

Want to know more about PDCflow Software?

Press ▶️ to watch our explainer video

See how our Flow Technology can create a one-step workflow for your contracts/invoices and payments. Book a demo today.
Book Demo

Consolidate multi-step processes into one easy step for your staff and customers. Eliminate the need for multiple software vendors. Send all your business transactions in one Flow smart request.
Explore Flow Technology
Share this post!
Hannah Huerta - PDCflow Marketing Specialist
Hannah Huerta, Marketing Specialist

Hannah Huerta is a Marketing Specialist at PDCflow. She creates content for the accounts receivable and payment industry.

LinkedIn - Hannah Huerta

Related Articles
Guide On Charging Credit Card Convenience Fees
How Your Business Can Stay Cybersecure