The complexity of the tourism industry and compliance with regulations

Compared to other types of activities where compliance can be addressed in a more individualized manner, such as the e-commerce sector, in the tourism sector there are a large number of players who all have their share of responsibility. Let’s look at the case of a hotel and analyze the main flows.

A hotel must comply with PCI DSS. It is a reality, and the reason is very simple: they have contracts with banks that act as the acquiring bank, where they request merchant codes to charge for their services, mainly the stays that we spend in each hotel.

When the hotel has to deal with PCI-DSS regulations, the first thing to do is to analyze the flows through which its customers’ card data circulate. And it is here where the situation starts to get complicated compared to a classic e-commerce.

Main Flows of Hotel Card Data:

  • Own sale through your website
  • Reservations coming from OTA’s where the credit card arrives, either to process the payment or to hold the card as a guarantee.
  • Face-to-face payment at the hotel, when the guest checks in or checks out, depending on your procedures.
  • Assisted sales through the Call Center
  • Card recovery to process No-Show…

The hotel, in order to ensure compliance, must ensure that the players it works with are also compliant, since the cards with which it ultimately charges your stays may go through each of these companies or, as it is called in the PCI-DSS regulation, service provider.

So, if you definitely have to comply, what would be the best strategy for these service providers to do so? Service-minded, the ideal would be to work on compliance by helping the hotel make your life easier.

Under this premise, there are two actors that can really help the hotel sector to simplify its compliance. Specifically, these are both the Channel Managers and the PMS and, between the two, especially the Channel Managers, since due to their type of business they have been able to move earlier to the Cloud and offer their services effectively as a service, before the PMS.

The Channel Manager, being a concentrator of many booking channels, has a very high percentage of the cards that a hotel must manage circulating through it. Thus, the Channel Manager has the ability to intercept these cards, store them in the hotel’s delegation, and prevent them from entering the hotel’s own systems, simplifying part of the PCI DSS compliance for the establishment.

Finally, through integrations with PMS and payment gateways, it is possible to close the payment processes, preventing the card from reaching the hotel, as well as preventing it from being visible to the hotel staff on many occasions.

It is precisely this strategy that Hitt Group (Dingus) has chosen for PCI DSS compliance: Book&Payment collects the booking cards and, before they are passed on to the hotel, they are tokenized, delivering tokens but, under no circumstances, bank card details…

Book&Payment takes care of the safekeeping of its clients’ cards in accordance with PCI DSS and, through Book&Payment itself, payments can be processed directly with various payment gateways, without the hotel systems or their staff manipulating the data. In this way it helps to simplify one of the card entry channels for hotels and thus compliance with the standard.

For our part, we believe this is the way forward. Instead of tackling the regulation in an individualized way, which may seem easier a priori, to tackle it with the perspective of interrelating services and, in a global way, looking for solutions that support the entire transit of the card. This vision, in addition to helping to achieve and maintain compliance by various stakeholders, also represents a significant improvement in security.

It is quite easy to understand that a single database with encrypted bank cards in an entire flow is not the same as the fact that the Channel Manager has his database, the PMS has its own database and the payment gateway also has its own database: these are three different locations where a hacker can go to look for the same information and also multiply by three the possibility of making a mistake and end up exposing this sensitive information.