Our booking engine ‘Mews’ complies with The Payment Card Industry (PCI) Data Security Standards (DSS), a global information security standard designed to prevent fraud through increased control of credit card data. Organizations must follow PCI DSS standards if they accept payment cards from the five major credit card brands—Visa, MasterCard, American Express, Discover, and the Japan Credit Bureau (JCB).
The PCI DSS designates four levels of compliance based on transaction volume. Mews Commander uses Microsoft Azure infrastructure, which is certified as compliant under PCI DSS version 3.2 at Service Provider Level 1 (the highest volume of transactions—more than 6 million a year).
Similarly, Mews Merchant does not need to have the PCI compliant certification because our payment gateway provider—Stripe—has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level
When your profile is created —either when you make a reservation or our reception team manually creates your profile regarding a reservation — you will receive a Profile Creation email leading you to the Mews Navigator app.
Navigator gives our guests full control over their data— you can view all personal information that has been shared with us, and requests that it be either sent to them or deleted entirely.
Please note that these options are only available to you after you have physically stayed at The Cranleigh Boutique as your data is required for processing the reservation.
Our Mews booking engine doesn’t delete a guest’s personal data—that’s up to us at the Cranleigh Boutique. So if you, as a guest request that your data be either sent to yourself or deleted, we’ll automatically be notified with an email letting us know of your request. We will then automatically clear your information from your customer profile in our booking engine system.
We have also appointed a data protection officer (DPO) to manage The Cranleigh Boutique & Hargeaves Enterprises data compliance. We are acquainted with our national DPA in case we need to report a data breach— and we are aware this must be done within 72 hours of becoming aware of the breach. In the case of a data breach, the DPO would be responsible for informing our customers.