Blog

Category:

Reminder: Upload your AoC for Booking.com

23. November 2017 in General

If you operate with Booking.com, you might receive credit card data via XML even if you are not PCI DSS compliant yet. This will change shortly, because Booking.com set a deadline to remove all credit card details from the XML messages of the properties you connect to unless you upload a valid PCI DSS Attestation of Compliance (AoC) or Self-Assessment-Questionnaire-D (SAQ), depending on the yearly processed volume of credit cards.

First things first, why do I have to upload an AoC?

PCI DSS and cardholder security is key for OTAs such as Booking.com and many other travel portals these days. Being compliant with PCI means that companies have implemented a whole set of security measures to keep cardholder data secure. This includes also the requirement, that a PCI -compliant company is not allowed to transmit cardholder data to a non-compliant company. Consequently, Booking.com is required to make sure that all connected partners that receive credit card data via XML comply with the same PCI regulations. Therefore, it is your obligation to proof your compliance with an Attestation of Compliance (AoC), the only official document recognized for PCI validation.

What happens, if I do not upload an AoC?

Booking.com has set deadlines and reminds every partner to upload the Attestation of Compliance (AoC). Failing to upload a valid AoC and resisting to Booking.com’s deadlines results in a removal of credit card data from the XML messages of the properties you connect to. That means that your customers will not be able to directly process credit card data anymore (email below).

How can I get a valid AoC?

In order to receive a valid Attestation of Compliance (AoC) and show your PCI compliance to Booking.com, there are two approaches. Basically, it’s a Make or Buy decision but the approaches behind it are extremely different. While the Make solution means that you still control and store all sensitive card data within your own environment, the Buy solution uses a different approach and ensures that no sensitive card data ever touch your servers anymore.

Make: Build your own PCI-compliant environment:

The first one is to build your own PCI-compliant environment, document and report all PCI DSS relevant measures, and finally undergo a full PCI audit depending on the yearly processed volume of credit cards. Even if a Make decision comes at some expense and is not easy to implement, it still could make sense for some kind of businesses. For instance, if you have other business units within a group structure that already maintain a PCI environment or if you have organizational restrictions that do not allow software as a service solutions.

Buy: Use a tokenization service to comply:

The other one is to use a tokenization as a service solution that takes care of PCI compliance for you by shielding your servers from sensitive card data. Thereby, you can simply upload the Attestation of Compliance (AoC) of your provider to Booking.com. In other words, you bank on the PCI compliance of the tokenization provider to achieve PCI compliance. This can be interesting for businesses that do not want to focus on PCI compliance but keep customers credit card data secure. Booking.com and most other booking portals are familiar with such solutions and often promote them directly to support their partners in becoming PCI compliance.

Feel free to talk about your challenges and experiences when it comes to showing PCI compliance to Booking.com.

Insights: How startups deal with PCI

23. November 2017 in General

PCI DSS compliance and cardholder security is a topic travel-technology startups rarely speak about, not least because it’s challenging and involves time and money without immediate and tangible returns. No matter whether you are bootstrapping or backed by external funds, you should be very conscious about PCI compliance because a breach will not only hit you financially but also on reputation-level. So it’s crucial to gain customers’ trust and loyalty.

As a startup, there are basically two approaches to achieve PCI compliance. You can either build your own PCI compliant environment from scratch or use a proxy tokenization solution as a service. More information about this make or buy approach can be found on our latest blog.

Taking that into account, let’s find out how startup Bookiply initially approached PCI DSS compliance, what was important for choosing a solution and what made them trust in PCI Proxy to keep their cardholder data safe. Therefore we had the pleasure to chat with Amélie, Product Manager at Bookiply.

Hi Amélie! Would you give us a quick introduction about Bookiply?

Amélie: Of course! Bookiply is a technology company, offering a channel manager tool for homeowners, property managers, and agencies in the vacation rental business. Bookiply’s product drastically simplifies online distribution and online bookings, reduces administrational tasks, and thereby saves precious hours of work per week. The service is currently available for clients with properties in European holiday destinations, with a focus on Spain, Italy and France. Bookiply has offices in Munich, Germany and Palma de Mallorca, Spain.

How did you initially get in contact with PCI DSS?

Amélie: Our business model involves working as a middleman between booking platforms and property managers or agencies which is how we got introduced to the topic of PCI DSS. As a channel manager we handle credit card data on behalf of property managers and agencies on a regular basis. Since we are connecting to more and more booking platforms, we have the need to receive and process credit card data in a secure environment. And obviously, we want to avoid facing penalties and fines for non-PCI compliance.

What approach did you use to become PCI compliant?

Amélie: We looked into the PCI compliance process and quickly realized that it would simply be overwhelming to deal with the sheer quantity of guidelines and requirements, as we are a young startup that needs to focus on its core-business. That’s why we researched services and companies that could help us achieve the goal of PCI compliance without going through the compliance hassle ourselves.

Why did you decide against building your own PCI compliant environment?

Amélie: Certainly costs are a factor here, as your own PCI compliant environment comes with a high price tag. In addition, our team is creating a product and service from scratch: i.e. we do have an almost unlimited backlog, but quite limited headcount. Therefore, it is extremely important for us to stay fast, agile, and focused on our core-business and main priorities. So we decided to outsource the PCI compliance and hand over this delicate topic to the experts of PCI Proxy.

What were your main criteria for choosing a solid tokenization solution?

Amélie: Our most important criteria for our selection was: API quality, support, experience, and price.

Could PCI Proxy fulfill your needs or why did you decide for PCI Proxy?

Amélie: Overall, PCI Proxy is the perfect solution for protecting cardholder data. It simplifies the complexity of being PCI compliant and makes it easy for us to meet PCI security requirements. We had initially compared some other companies and PCI Proxy seems the best solution for us. They were promptly responding to all our queries within minutes. Apart from that, the over-all integration was quite easy and documentation was very precise and to the point.

Thanks to Amélie for taking the time for this short Interview. If you would like to know more about PCI Proxy, just contact us. Cheers!

New fraud prevention feature

12. October 2017 in General

In order to check if a credit card is valid, stolen or exceeded, it is still a common procedure to authorize a small amount (1 EUR), a so-called ghost authorization, prior to authorizing an actual booking or purchase. This important fraud prevention feature allows verifying the account holder and provides information about the validity of the credit card. The only problem is that the authorization still shows up on the cardholder’s statement. As a result, it might cause confusion and suspicion by the customers.

In order to avoid confusion, payment networks advanced alternative ways to check the validity of credit cards by authorizing a zero-amount instead of an actual value. Main benefit, the authorization does not appear on the customer statement.

How does the ,,Credit Card Check’’ work?

If you want to check the validity of a credit card, simply send a zero-amount authorization request against our payment gateway (server-to-server) and we reply if the credit card check was successful or not. In the background, we pass on the request all the way through our acquiring partner, the card networks and issuing banks within milliseconds. If successful, you can start from the premise that the credit card is valid. If not, just contact your customer and ask for clarification.

In general, this type of service would require to sign a contract with a payment service provider, which would be responsible for the technical processing of your request as well as an acquiring/merchant bank. By using the credit card check of PCI Proxy, you bank on our acquiring contract. And since we are already a payment service provider, an additional contract would not be necessary.