Does anyone know if there is a solution to PCI compliance for online hotel booking sites which work on the basis of charging a deposit to clients credit card (online) and then need to provide the hotel with the cc details securely so the hotel can either charge a further amount prior to arrival or a cancellation fee if necessary. If there isn't a solution, it looks like many of the big OTAs cannot be compliant if they use this model.
Alex, I see you made a posting on Travel Rants in 2009 where you mentioned that you may have a solution to this and would post it on your blog but this can no longer be accessed. I would be really grateful for any advice on this complex issue and if anyone knows of a consultant in this field who may be able to assist. Thanks.
Its not the OTAs that are not compliant but the hotels themselves. Its the ultimate responsibility of the company who has the merchant relationship with the bank to ensure that the card is set to them in a PCI compliant way..... yes - some of the hotel booking systems do move card details around - but it isn't the OTAs are not compliant....
Money should flow, not card details.
There is no simple solution! Complex solutions involve things like split payments (effectively having two merchant accounts on the same payment system) but if you are working with a lot of suppliers that doesn't really work at scale... (but might be worth looking at). Paypal have a split payment system for example...
Thanks for your reply Alex. Is there a way however of providing partner hotels (several hundred) the CVC code for their bookings so they can take payment in their normal way whilst complying with the PCI requirements. There are some online booking sites who say they are PCI compliant and are providing the hotels with CVC details online and then delete them after a couple of days – is this OK? Without the CVC code most hotels will always have to call the client directly which is far from ideal - especially when clients will have already inputted their details once already into a secure payment system. An alternative appears to be tokenisation, but can small hotels easily take the payment using this method or do they have to have an online merchant account as well ?
No - there is no way of transferring the CVC code in a PCI compliant way! (caveat: using a computer)
Yes - the hotel sector is a right mess when it comes to PCI compliance.
Tokenisation is a solution but it only lets YOU charge the card again later. You can't send the token credentials to the hotel because you would also need to send the API credentials - and those are yours and are associated with your merchant account.
One way of solving this problem would be a central service used by booking websites and hotels - customer puts card details in once - and they are saved against the hotel AND the booking sites merchant accounts - and 2 tokens issued..... then either party can charge the card at their convenience. However that would need to be adopted by the HOTEL themselves if they wanted to work like this. I think many of them don't realise they are non PCI compliant....
Great opportunity for an entrepreneur here...
that would need to be adopted by the HOTEL themselves if they wanted to work like this.
I'm going to add some extra requirements for your idea Alex - it is that the Customer can only be charged by one entity and not both, and really it needs to be a single transaction rather than multiple ones.
I've implemented a solution as you describe, where both the booking website and the vendor had the credit card information and could charge separately. This was for the very reason that the booking website did not want to store credit card details or pass them around (Keep in mind that an important problem with storing credit card info is that internal staff can potentially access them). In this scenario the booking website was charging a small service fee (something like £5).
What happens is that the customer gets their credit card statement and sees they've had 2 charges on their statement - one from the booking website of £5 and the other much larger amount from the vendor.
They then phone up their credit card company and say "there's been a mistake - I've had 2 charges but I only expected 1". Despite the fact that the booking website has said repeatedly on the website and in confirmation emails that they would be charging the service fee separately. Naturally, the credit card company refunds the £5 booking fee and the booking website does not get any money for providing a service. I can promise you this was happening a *lot* and costing the booking website an awful lot of money!
Back to my original requirement - the customer only expects to be charged by a single entity, and ideally in a single transaction. I can see how a central payment solution could solve what I'm describing above, but do you think hotels (and other vendors) would actually adopt this, given that they'd have to charge through it?
Right - and I've been wondering for years how such a model can still be tolerated.
Speaking also from first hand experience as a traveller who books lots of hotels on many different sites, I have seen my full credit card details including CVC fully printed out from the OTA platform at hotel receptions.
It's shocking. Sure enough, after a while I got a fraud transaction on my card and I had to block it.
I'm still wondering how banks, credit card companies, or industry bodies like PCI or anyone else are not taking any measures.