Enjoy our quick reads down below to stay in the know.
Tasks that used to require the submission of online forms and activation by a Datatrans expert can now be carried out by PCI Proxy customers themselves in no time at all. From testing to going live – outside of office hours, from anywhere in the world.
Once activated, the PCI Proxy dashboard provides you with an intuitive control and monitoring tool for your projects. You can view your current traffic instantly. Invoices and contract data can be viewed at any time and once your payment method has been stored, payment of invoices will also be taken care of almost automatically. You can also integrate different users, create and manage projects, add new integrations or choose from 300 predefined integrations in just a few clicks.
Since its launch at the end of 2019, the PCI Proxy dashboard has already proved just how versatile it is. Customers appreciate the intuitive design, ease of use and quick overview. Over the coming months, Datatrans will be developing the dashboard further by adding more services and intuitive functions. Customers can benefit from a smart PCI Proxy ecosystem which is beautifully simple and able to grow with the needs of its users.
Datatrans PCI Proxy is the proven tokenization solution for simplifying PCI compliance. Sensitive credit card and other data (GDPR, HIPAA) are captured quickly and stored securely, without ever coming into contact with the customer infrastructure. The solution is a universal token that enables stored card data to be validated, debited, displayed or forwarded.
PCI Proxy was designed by Datatrans to meet the increasing requirements for secure online payment in a flexible way. The solution has been adopted by the main players within the market and is suitable for all sectors and any type of business. To find out more, go to pci-proxy.com
The Regulatory Technical Standards (RTS) on strong customer authentication in accordance with PSD2 come into effect on 14 September 2019. This new method for increasing the security of online payments not only affects banks and acquirers. Any business providing a mix of services will need to be on board in order not to put conversions and loyal customer relationships at risk.I
n particular, online travel agencies (OTAs) that collaborate with multiple service providers but do not make direct disbursements to them will face a new challenge. From a purely legal perspective, they are not required to apply PSD2. Nevertheless, the new security procedure will affect their business model.
Here’s why: As a rule, OTAs bundle services from a range of merchants, such as hotels, airlines, car rentals and insurance companies. When a booking is made, they forward their customers’ payment information directly to the merchant or an agreed third party for settlement.
If an OTA opts out of PSD2, its customers will complete the booking process without completing 3-D Secure authentication in future. As a result, the merchants will have to send customers a separate payment link retrospectively to ensure that the 3-D Secure authentication is carried out and the payment can be made reliably, excluding the possibility of it being declined.
Of course, the OTA could also redirect its customers to the merchants’ own booking pages, or integrate and maintain their various payment gateways. However, this would come at the expense of the unified booking experience, with greater complexity and a negative impact on conversions. And it would also annoy and confuse those customers who prefer to book every aspect of their trip through one single provider.
Thankfully, help is at hand and OTAs that want to continue offering their customers a unified booking experience after 14 September can avail themselves of a simple solution with the new 3-D Secure Authentication Only method. This separates the 3-D Secure Authentication procedure from the payment authorisation and settlement. So the OTAs can carry out a single authentication process for all of their bundled service providers and send the authentication data along with the rest of the payment information to the merchants and third parties. The subsequent authorisations are handled as 3-D Secure transactions by the merchant.
In summary, by using 3-D Secure Authentication Only, OTAs can continue to let their merchants process payments through their own payment gateways, enabling 3-D Secure with all its associated benefits. OTAs can take advantage of stable processes and low costs, since they can spare themselves the expense of integrating and maintaining a range of external payment gateways. In addition, the user experience during the online booking and purchasing process is not impaired since the customer authentication only needs to be carried out once. As a result, the 3-D Secure Authentication Only method is a simple and future-proof way of implementing a range of different booking scenarios in the travel and hospitality industry.
The 2018 founded start up Setoo offers insurance-as-a-service for online businesses. The young company does not make any compromises when it comes to security. Therefore, it decided for PCI Proxy to protect the sensitive card data of their clients’ clients. In our interview Jonathan Arad gives insights about their startup experiences, risk mitigation at the earliest and their plans for the next steps.
Hi Jonathan! Would you give us a brief introduction about Setoo?
Jonathan Arad: Setoo is an award-winning insurance-as-a-service platform that offers personalized parametric insurance products to online businesses wishing to protect and cater to their customers’ concerns.
Through the Setoo platform, businesses can quickly and easily build and integrate parametric insurance products that are embedded into the customer journey and with compensation dispensed automatically.
As a start-up in a rapidly growing industry: How important is it for you to move fast and innovative – particularly given the fact of being confronted with a great deal of regulatory guidelines?
Jonathan Arad: Being fast and agile for any startup is a MUST. It is a key factor to success. For a startup in a heavy regulated domain such as insurance, Time To Market is a concern due to regulatory obstacles. This is why being innovative with finding the best solution to reduce to the bare minimum is required to meet the market at the earliest possible time and gain a competitive edge.
Becoming PCI compliant is a process that can be extremely complex, taking companies months, or even years to achieve. What was the main reason why you decided to use PCI Proxy to securely store payment data outside of your environment?
Jonathan Arad: When it comes to actuary, risk calculation, machine learning driven insurance products and pricing – we are the best there is! And we will always be the sole developers of our core IP. Having said that, a startup company who wants to be competitive, and act fast, does not develop each and every component of its solution, especially if it is not part of its core IP. In most times, it will be faster, more cost effective and more professional to use off-shelf solutions for highly complicated components where other suppliers have domain expertise and mature solutions.
In this case, becoming PCI compliant by using PCI Proxy to securely store payment data was an easy choice. PCI Proxy allows us to offer an end-to-end air-tight solution to our clients at the earliest without compromising on security, scale, and quality.How did you come across PCI Proxy?Jonathan Arad: As we were facing the need to provide an end-to-end ‘main funnel’ payment solution to our customers, we hired a payment consultant agency who helped us build the payment architecture to meet our needs. This firm warmly recommended PCI Proxy from previous engagements and experience.
How was the overall integration process with PCI Proxy?
Jonathan Arad: The integration process was fast, friendly, and tailored to our needs. Throughout the integration process PCI Proxy’s response time was fast and professional making the integration process as easy as possible.
Insurance businesses, by their very nature, are there to protect customers from a wide range of risks. How important was it for Setoo to minimize its own risk and take a step towards greater security by externalizing sensitive payment data?
Jonathan Arad: Working with top clients as we do, requires us to take no risk when it comes to one of the most sensitive issues – payment method of our end users, our clients’ clients. Our clients expect us nothing less than taking all measures in order to secure their clients’ payment method as well as to comply with all relevant legal and regulation requirements. A security breach will fracture the trust between our end users and our clients, and between our clients and us. And we take no risks when it comes to our end users / clients trust and safety. Working with PCI Proxy is an important piece of the Setoo generic platform. It allows us an end-to-end solution for a variety of flows and specifically main funnel payment and automatic payout flows.
In 2019 you won the newly created Insurance Times Claims Startup of the Year Award. A great award, congratulations! What did it mean to you and what can we except from Setoo in the near future?
Jonathan Arad: Getting recognition as the ‘Startup of the Year’ is a great achievement and reward for the hard work we have been doing in the past 3 years – building an amazing insurance-as-a-service platform. But it's only the start, and it's putting us in the spotlight of strategic industry players not only in Europe but world-wide.
Being in the spotlight requires us to be disruptive and innovative and act fast in order to seize the many incoming opportunities.
Without exposing discreet inside information, I can share that in the near future Setoo will launch its service with a strategic travel player catering to tens of millions of travelers a year, and expand both in verticals and in territories.
Thank you, Jonathan, for taking the time for this interview.
Based in Iceland, Dohop provides, operates and supports the virtual interlining platforms of a number of partner airlines including the booking and payment processes. Our PCI specialists William Bouffard and Manfred Ferstl assessed their solution for compliance with PCI DSS.
William Bouffard looks back on the joint project: “Dohop takes the issue of security very seriously. Their software solution fully meets the strict requirements of PCI DSS and the documentation they maintain is exemplary. Thanks to their great work and the efforts Dohop put in externalizing sensitive credit card data using PCI Proxy’s universal vault solution, we could finish the assessment and certification project swiftly and successfully. Thank you both to Dohop and their service provider PCI Proxy for the pleasant cooperation”.
Petur Kristinn Gudmarsson, COO at Dohop: “We chose two strong and experienced partners for our PCI DSS certification project: usd AG as our assessor company and PCI Proxy as our tokenization provider. Thanks to our committed team and the professional, goal-oriented approach of our partners, our certification project went more than smoothly. We are proud to provide our customers with a product that meets the strictest security requirements”.
Mikkel Weber, Technical Account Manager at PCI Proxy, adds: “By using PCI Proxy Universal Vault solution, Dohop has taken another step towards greater security for sensitive customer data. Through the implementation of the solution, only tokenized data is accessed by Dohop’s systems during the payment process. This significantly reduces the number of systems that fall into the scope of a PCI DSS assessment. We are proud to make a contribution to strengthen the protection of sensitive data together with Dohop and usd AG”.
Nuvoy makes business trips simple: Users enter their destination and time of arrival, and the app plans the entire journey, from ordering an airport transfer to buying the flight ticket. Nuvoy is the latest mobility services provider to place its trust in Datatrans PCI Proxy. This innovative solution simplifies the PCI DSS certification process and makes it easy to process and share credit card data. A tokenisation algorithm encrypts sensitive payment information before it is then securely saved to the app. The universal tokens can be forwarded to all third-party providers in the mobility sector as well as to payment gateways for settlement.
Vacation Stay is an online marketplace for holiday accommodation, and is regarded as a sign of quality in Asia with more than 10,000 verified houses and apartments. To protect its customers' card details, Vacation Stay uses Datatrans PCI Proxy. Sensitive information sent by platforms such as booking.com is automatically converted into a token. The benefit of this solution is that Vacation Stay never comes into contact with the payment details, which remain stored in the secure Datatrans data centres. Vacation Stay simply stores a token, which can be settled automatically via any of the connected payment gateways at any time, thanks to its universal format. As a result, the holiday platform is protected against potential data theft. The business also reduces its costs and time spent ensuring PCI compliance to a minimum by never coming into direct contact with PCI data.
Mews, the cloud-based property management system (PMS), provides an open platform to support hotels and hostels with process automation, allowing them to focus on their guests.
Mews can be seen as the central nervous system of a hotel or hostel. Reservation information from all of the different channels such as Online Travel Agents (OTA), the hotel’s own bookings systems and concierge services flows into the Mews Commander.
Mews uses the Datatrans PCI Proxy to protect its customers’ sensitive information. The data transferred from reservation platforms is automatically filtered, and sensitive payment data tokenized before it even arrives at the Mews system. Mews only stores the token. All of the payment information is stored within the secure Datatrans data centres. Even when customers enter sensitive card information using the hotel’s own booking system or concierge app, Mews never receives any sensitive payment data directly. Once created, the token can be stored indefinitely and allows automated billing across all connected payment gateways thanks to its universal format.
Thus, Mews protects itself not only against potential data theft, but also minimises the costs and complexity of its own PCI compliance by ensuring that it never actually comes into contact with PCI data.
Apaleo was founded on its belief in speed – speed of development, speed of going to market, and speed of its ability to change the way that the hospitality industry works with technology. The company identified a lag in how hotels adopt new technology, caused by legacy technology that is slow to update and slow to integrate with other systems.Apaleo set out to build a new, cloud-based property management system (PMS) with an API-first approach that would allow the system to seamlessly connect to any application that a hotel could want, need, or build, all in a matter of minutes. Check out apaleo.com.
Speed + Data Security
As apaleo mapped out its infrastructure, the team knew that, on the one hand, it should move fast, but, on the other hand, that it couldn’t make mistakes when it came to data security. PCI compliance was vital to apaleo to ensure its client’s data were secure and to avoid fines and potential punishments for not meeting the laws and regulations.
Don’t waste resources
Becoming PCI compliant is a process that can be extremely complex, taking some companies months, or even years to achieve. In the past, companies looked to do this all in-house, which is a considerable drain on time and resources. New staff must be recruited, or existing employees must shift their focus away from other projects. Then the team must invest time to understand all the details about PCI compliance and its impact on the company’s systems, products, employees and overall infrastructure. Once the requirements are understood, the team must implement all of the requirements. And finally, after all of this is completed, it is time to start over again, since companies must be re-certified on an annual basis.
As a lean startup, apaleo did not see this as an ideal solution and searched for another way to achieve PCI compliance – the team had a product to build and wanted to focus on delivering key features and functionality. Knowing that it its very own open API approach was all about connecting with specialists in their field, apaleo chose to find experts in the payments and PCI compliance field. It found Datatrans, which offered a team of experts, as well as PCI Proxy, a purpose-build PCI compliance as a service environment.
«PCI Proxy is exactly the right product for saving our guests’ payment information. And in terms of service quality, the partnership with Datatrans is flawless.»
Benjamin Schmid, Co-Founder @ apaleo
PCI compliance within days
apaleo built its entire PMS platform in less than nine months, something that has taken other companies many years to deliver. And, using Datatrans PCI Proxy, apaleo became PCI compliant in a matter of days.PCI Proxy provided apaleo out-of-the-box Level 1 PCI compliance that gets apaleo’s service to market fast and secure. It allows apaleo to connect and exchange payment data with any PCI-compliant service provider and payment gateway while PCI Proxy takes care of PCI compliance. All sensitive data is then filtered and tokenised before it reaches apaleo’s software, ensuring apaleo’s systems never touch sensitive card data – reducing the PCI scope to a minimum.Since apaleo’s launch, it has now onboarded its first happy clients and has welcomed dozens of developers to develop on its platform, using apaleo’s public APIs. The company remains focused on moving fast and innovating, with speedy release cycles for new functionality and a plethora of new clients and partnerships in the pipeline.
In April 2020, Datatrans was once again inspected by an independent PCI auditor as part of the PCI DSS validation process. As a result our PCI DSS “Level 1” certification was renewed for another year. Thanks to an experienced technical team and smooth processes, the audit was also conducted successfully while subject to special measures due to COVID-19.
Benefits for merchants: our payment solutions and all operational processes have achieved the highest level of certification, so you can be assured of secure and PCI-compliant card data processing. Sensitive payment and authentication process data are stored, processed and transferred to relevant financial partners using the highest level of security.
Our annual certification is not just words on paper: PCI security guidelines are implemented rigorously by all Datatrans employees. That is how we fulfil our obligation to customers and credit card companies and reduce payment processing fraud to a minimum.
To sum up: as a reliable partner for merchants not wanting to come into contact with card data, we comply with all PCI DSS security checks. The benefits of working with Datatrans include the best protection, cost savings and reduced risks when handling sensitive data. We take care of data processing and storage – you just have a few validation questions to answer and checks to comply with. Your PCI requirements remain manageable, with low implementation effort.
PCI compliance in just a few steps with PCI Proxy:
• Integrated secure fields for processing card data.
• Customer-oriented shopping experiences via simple checkout solutions.
• Automatic filtering and tokenization of card details.
The International Air Transport Association (IATA) is the trade association for the world’s airlines, representing some 290 airlines. The aim of IATA is to promote the safe, scheduled and economic transport of people and goods. The New Distribution Capability (NDC) was launched in October 2012 in order to improve the efficiency and control of airline services.
NDC is a new standard for transferring data. It streamlines and improves communications between airlines and travel agencies. Many travel agencies still cannot access much more than simply ticket prices and flight schedules. Thanks to its standard format, NDC allows travel agencies access to the full range of what the airlines are offering.
Datatrans helps airlines as well as intermediaries and travel agencies within the NDC framework to minimise the complexity involved with PCI DSS. Compliance with the guidelines of the credit card industry is mandatory within NDC and thus guarantees data security. The PCI proxy converts the card data into what are known as tokens before they are received by the systems of an airline or travel agency. The card numbers are then stored by Datatrans in a virtual safe and can be retrieved when needed to pass them on to acquirers or other certified partners.