Monday 27 October 2008
Having been introduced to The Edge by The MacDonald Bros of X Factor fame, The Music Kitchen had no hesitation asking us to develop an online store integrated with our Claymore Content Management system when it became time redevelop their website.
These facilities along with a redesign of the website layout addressed the areas in which the old website was lacking and ensure the website can be maintained in house well into the future.
Our Online Store software allows The Music Kitchen to sell their artist's abums world wide and have card payments authorised in real time. Claymore integration means all important content can be updated on demand with our easy to use Content Management system. Also integrated with the website is a YouTube Channel allowing music videos, sample tracks and TV adverts to be uploaded.
Visit The Music Kitchen Website at www.themusickitchen.co.uk
Friday 24 October 2008
Well known Kirkcaldy country house hotel, Dunnikier House Hotel, has this week gone live with Bookassist and has signed up to use both its Sitebuilder and TrafficBuilder products.The Fife hotel which is well known locally for business and weddings markets was recently taken over by Stewart Dykes who also owns the Crusoe Hotel in Lower Largo on the East Neuk of Fife and is benefitting in a series of upgrades to both the property and the marketing activity.We sat down with Stewart and identified what was required of the new site and the need to start ensuring that the hotel website was used more effectively to market business and leisure stays.The new site has been completely redesign using Bookassist's Sitebuilder Pro and gives the hotel marketing and reservations team complete control over content, images and even a series of web 2.0 tools including a new blog.The Bookassist booking engine is integral to the site and offers the reservations team control over availability and rate management that they've never previously had with other booking systems. And from the guest point of view they can now be assured that if the visit the Dunnikier House Hotel website they will receive Best Available Rate - guaranteed!The hotel is taking advantage of tools such as Google Picasa Gallery which only enhances the website experience. It is also using the Bookassist Trafficbuilder programme to enhance its visibility on the search engines. This includes working with the account management team at Bookassist to make sure that search terms are appropriate, Google Adwords campaigns managed appropriately and optimisation stays high priority.Ian McCaig from Bookassist office in Scotland was delighted to be working even more closely with the hotel, "The new website is a great example of what can be incorporated into a Web 2.0 hotel site and how Bookassist technology can become the driver for hotels' online marketing activities. Increasingly we are seeing independant hotels the leghth and breadth of Scotland recognising the benefits of not only having a booking engine on their site but having a booking engine that has strong marketing support working alongside it. Bookassist provides this partnership support and in the current economic climate it is being seen as a major benefit by our accommodation partners."
Monday 20 October 2008
Over the past few weeks we've had a number of comments about online reservations companies providing Credit Card details complete with the CVV number to ensure that hotels can charge guests accounts for bookings made on their behalf. We've even had a couple of irate hoteliers suggesting that this number must be provided to them by their online booking service provider. It would appear that any number of their third party booking engines provide them with fax copies of this information to secure the booking.
Whilst this has been going on for some time it is only a matter of time before someone gets their fingers very badly burnt. Hoteliers should check their merchant agreements; it will somewhere or another expressly forbid the storing of certain information.
A Card Verification Value code, CVV, (CVV2 for Visa, CVC2 for MasterCard and CID for AMEX) is the (usually) three digit number located either on the front or back of a credit or debit card. Merchant’s can request the CVV code from card holders as another way to screen fraudulent transactions - increasingly, almost universally in the UK it is now necessary for "customer not present" transactions. The idea is that someone using a stolen credit card is less likely to have this code so they will be unable to complete the transaction. With most payment systems, you can adjust settings to automatically reject transactions where the CVV code does not match the card number.
The effectiveness of this code is limited to the ability to keep it out of the hands of hackers and thief’s, which is why it is prohibited by PCI Standards from being stored. For merchants who charge customers on a recurring basis, the CVV code can be used with the initial transaction but cannot be stored for future transactions.
The table summarises what is and isn't allowed and under PCI compliance the penalties are likely to be punitive. Can you really afford not to be able to take Credit and Debit cards from your clientele? Search any number of PCI (Payment Card Industry)compliance sites and check what is and isn't allowed; it is your repsonsibility and not knowing is going to be little comfort when the chargebacks start flowing in or the credit company unplugs your PDQ machine without any warning.
Earlier this year ecommerce consultant Alex Bainbridge highlighted the issue in his blog pointing out that two well known hotel online travel agents (OTAs) were allegedly maintaining lax security on their customer credit card data. We've not mentioned the OTA's here but the full article is available to read here.
"The problem outlined is a process problem not unique to how the two named agents operate. In essence the business process is as follows:
- Customer makes online booking on an online hotel reservation website (or partner site)
- The end customer gives their credit card information to the central website
- The credit card details are transmitted (sometimes by fax) to the end hotel. The hotel can then use these credit card details in order to charge a customer in the event that they cancel or “no show” their reservation.
- The detail that is transmitted to the hotel contains all information required to charge a card, including the ID number found on the back of cards.
So what is wrong with this? All companies that handle credit card information have to comply with the PCI (Payment Card Industry) credit card standards. Adherence to these standards isn’t voluntary - but mandatory. They are agreed by both Visa and Mastercard and are the industry standard.
- Some of the expected standards can be found in the PCI Compliance document
- The CVC2/CVV2/CID numbers are not permitted to be stored
- Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit (this includes fax machines)
- Identify all users with a unique user name before allowing them to access system components or cardholder data (NOT generic usernames or one username per hotel)
- Change passwords at least every 90 days
- Physically secure all paper and electronic media (including computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data
- Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data including the following:
- Classify the media so it can be identified as confidential
- Send the media by secured courier or other delivery method that can be accurately tracked (this onus is on the sender, not the recipient - so the hotel booking agency can’t say that it is down to the hotel how they secure their incoming faxes)
- Screen potential employees to minimize the risk of attacks from internal sources (unless the employee is a store cashier who only have access to one card number at a time)
If cardholder data is shared with service providers, then contractually the following is required:
- Service providers must adhere to the PCI requirements (i.e. hotels must adhere)
- Agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the provider processes
The last standard is an interesting one…. it seems to put the onus on the hotelier to adhere to PCI standards…. so perhaps this is what the hotel OTAs are relying on.
Hoteliers and their service providers really need to take care to ensure that credit card security is taken seriously.
A more recent and UK based article by the same ecommerce consultant Alex Bainbridge, highlights two further areas of breach.
"PCI is a set of standards that define how you are permitted to hold and transmit credit card data. If anyone tells you their system is secure just because they have an SSL certificate they demonstrate that they don’t really understand how security works. PCI is much more than just an SSL certificate. Compliance is mandatory for any company handling credit card details (unless you decide not to handle credit card data - e.g. by using a 3rd party payment gateway).
Here are two more processes that travel companies do that will require the agent to be PCI audited:
- Agent takes credit card details from customer over the phone and, while customer is on the phone, places the card details into a supplier website
- Agent takes credit card details from customer and instead of charging the card they give the credit card details to a supplier (for charging directly at a later time)
The first process has become “common” (or acknowledged to take place, at the least) by agents who have been banned from selling Ryanair flights. Instead of using the agency credit card the customer’s details are placed on the Ryanair website - making it difficult for Ryanair to see that the booking is an indirect booking. However, this process would require the agent to be PCI compliant (which they are unlikely to be, for this situation)…..
The second process is common in the hotel industry. The card details are often transmitted to the hotel for charging. This would require the agent and the hotel to be PCI compliant. e.g. you can’t just “email” the card details to the hotel. Faxing is also problematic.
The onus on the 3rd party. If you are a travel company that uses agents to send credit card data to you (on your behalf) then it is down to you to ensure your agents are PCI compliant.
The above is something which our tourism bodies really should be taking seriously with e-commerce workshops being funded by Scottish Enterprise and Scottish Tourism Forum across the country should we not be ensuring that PCI is placed firmly at the core of this training. It is not enough to get business e-commerce ready; they must do it with best practice and legally.
Is anyone grappling with the fact that much or the recommended e-commerce procedures being showcaseda re operating outwith PCI standards? It has become the norm and therefore no-one knows what to do about it - the result is nothing proactive happens."
As Alex states in finishing "It will just have to take a “big breach event” to bring this to everyone’s attention."
The hotel industry in Scotland need to recognise their responsibilities before one of the number is made an example of, and it will happen, sooner rather than later.
Open Rooms offers small hotel and bed and breakfast owners full control over their website with our extensive content management system, The Claymore Project, which offers an RSS enabled news system, gallery, room rates and this integrates fully with our online booking engine Bookassist.
Control over Search Engine Optimisation has been advanced and full control over your Meta Tags is offered viayour control panel.
You can see an example Sitebuilder Hotel Website by The Edge at www.golfviewhotelnairn.co.uk.
Following an in depth consultation Pebbles accepted our proposal to install our online store software which offers full management of the system via an easy to use control panel as well as:
- Unlimited category levels
- Multiple display layouts
- Cross selling and other promotion tools
- Voucher and multi buy discounts
- Fully customisable shipping zones and pricing
- Search Engine Optimisation and Integration with Google Base
The existing Pebbles website was seamlessly integrated with our Claymore Content Management System which allows easy update of text, images and search engine keywords on the website. This allows the company to take control of their website and ensure it is up to date with weekly changes.
In support of the website updates The Edge produced a number of updated brochure inserts allowing Pebbles to provide detailed and up to date information about the main products and services they wish to promote to enquiring customers.
Other supporting work was carried out including the creation and management of Google Sitemaps which are submitted to Google for inclusion in their index.
You can visit the Pebbles Spa and Leisure website at www.pebblesspa.com.
Sunday 19 October 2008
Alstons are the main Valtra Tractor dealer for Ayrshire and Lanarkshire and their agicultural engineering business also provides maintenance and repair, used equipment sales and stores.
We advised installing our online store software and enabling the special catalogue mode which turns off the shopping cart and online purchase features. This solution allows Alstons to use the software's extensive content management capabilities and search engine promotion features and in the future simply enable the built in shopping cart to take orders with live online payments.
The news system is powered by Google Blogger which as well as integrating seamlessly into the website provides significant search engine benefits. Other Web 2.0 website features include submission to Google Base and Google Local.
You can visit the Alstons BC website at www.alstonsbc.co.uk.