The more sophisticated your property, the more sophisticated your payment processing systems might need to be.
What is important from a sales and business point of view is that you are able to accept the form of payment your customers want to use.
What matters from a privacy and data protection point of view is that data subjects are able to interact with you without fear of a breach of their personal data and a loss happening.
The consideration in the Payments page in the Short Let site applies here.
However the issue becomes more complicated as your level of administration increases. There’s even a name for this. It’s called “The Law Of Requisite Complexity”. It says that your business systems need to be only just complicated enough to deal with the processing at hand. Anything less and your business systems won’t cope. Anything more and you risk overcomplicating things.
Do payment systems for hotels need to be more complicated than those for smaller businesses? Well, no. They do the same things. From a customer point of view they will probably look exactly the same. However from an internal business point of view, you might want them to be connected and integrated into your business functions. They might be accessed by more employees, which means you have a greater responsibility for control.
It is this need for control that indicates the nature of your responsibilities under the GDPR. If you process payment card details, there is a risk. If you keep records of the numbers for any length of time, remember time itself is a risk factor. Modern card processing means there is no real need for keeping records of credit card details. Although there is one issue in hotels where there might be a problem.
Where do you store credit card details to guarantee bookings?