Most online travel businesses pride themselves on the automation of their booking systems.
But for those who still use manual processes there could be a storm brewing – welcome to Payment Card Industry Data Security Standard.
This standard for credit-card security is not only international but also mandatory. Any business that accepts credit cards for payment is supposed to be compliant with a number of issues.
However, a few industry blogs have raised the issue in the context of online hotel booking agencies that use the reservation model.
It is suggested that some OTAs fax customer details to the hotel so that the hotel can use the credit-card details in order to charge a customer in the event that they cancel or are a ‘no show’ for their reservation.
The detail that is transmitted to the hotel contains all information required to charge a card, including the ID number found on the back of cards.
While there is no suggestion that an OTA’s website poses a significant security risk, the concern is what happens to the fax when it gets through to the reservation desk at the hotel.
PCI standards insist that for an OTA to be PCI compliant, it must ensure that all its hotel partners are as well.
Trying to track down any precise information from OTAs is difficult. Expedia confirmed that all its brands, including Hotels.com were compliant with ‘PCI DSS 1.1 requirements’, 1.1 being the most up-to-date version.
One would assume that checking a hotels’ PCI compliance was as much a part of the partnering process for OTAs as checking more obvious health and safety issues. And how many hotels use faxes as a business tool in the early 21st century?
Identity theft and credit-card fraud are big global issues for the e-commerce sector generally and OTAs give a high priority to the security of their payment processes.
But if a customer is on the receiving end of a fraud, convention says it’ll be the OTA and not ‘Fred’s B&B’ that will take the blame. For that reason, this issue is something that needs watching.