Monday 20 October 2008

Do Hotels Understand Their Credit Card Responsibilities?

Over the past few weeks we've had a number of comments about online reservations companies providing Credit Card details complete with the CVV number to ensure that hotels can charge guests accounts for bookings made on their behalf. We've even had a couple of irate hoteliers suggesting that this number must be provided to them by their online booking service provider. It would appear that any number of their third party booking engines provide them with fax copies of this information to secure the booking.

Whilst this has been going on for some time it is only a matter of time before someone gets their fingers very badly burnt. Hoteliers should check their merchant agreements; it will somewhere or another expressly forbid the storing of certain information.

A Card Verification Value code, CVV, (CVV2 for Visa, CVC2 for MasterCard and CID for AMEX) is the (usually) three digit number located either on the front or back of a credit or debit card. Merchant’s can request the CVV code from card holders as another way to screen fraudulent transactions - increasingly, almost universally in the UK it is now necessary for "customer not present" transactions. The idea is that someone using a stolen credit card is less likely to have this code so they will be unable to complete the transaction. With most payment systems, you can adjust settings to automatically reject transactions where the CVV code does not match the card number.

The effectiveness of this code is limited to the ability to keep it out of the hands of hackers and thief’s, which is why it is prohibited by PCI Standards from being stored. For merchants who charge customers on a recurring basis, the CVV code can be used with the initial transaction but cannot be stored for future transactions.

The table summarises what is and isn't allowed and under PCI compliance the penalties are likely to be punitive. Can you really afford not to be able to take Credit and Debit cards from your clientele? Search any number of PCI (Payment Card Industry)compliance sites and check what is and isn't allowed; it is your repsonsibility and not knowing is going to be little comfort when the chargebacks start flowing in or the credit company unplugs your PDQ machine without any warning.

Earlier this year ecommerce consultant Alex Bainbridge highlighted the issue in his blog pointing out that two well known hotel online travel agents (OTAs) were allegedly maintaining lax security on their customer credit card data. We've not mentioned the OTA's here but the full article is available to read here.

"The problem outlined is a process problem not unique to how the two named agents operate. In essence the business process is as follows:

  • Customer makes online booking on an online hotel reservation website (or partner site)
  • The end customer gives their credit card information to the central website
  • The credit card details are transmitted (sometimes by fax) to the end hotel. The hotel can then use these credit card details in order to charge a customer in the event that they cancel or “no show” their reservation.
  • The detail that is transmitted to the hotel contains all information required to charge a card, including the ID number found on the back of cards.

So what is wrong with this? All companies that handle credit card information have to comply with the PCI (Payment Card Industry) credit card standards. Adherence to these standards isn’t voluntary - but mandatory. They are agreed by both Visa and Mastercard and are the industry standard.

  • Some of the expected standards can be found in the PCI Compliance document
  • The CVC2/CVV2/CID numbers are not permitted to be stored
  • Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit (this includes fax machines)
  • Identify all users with a unique user name before allowing them to access system components or cardholder data (NOT generic usernames or one username per hotel)
  • Change passwords at least every 90 days
  • Physically secure all paper and electronic media (including computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data
  • Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data including the following:
  • Classify the media so it can be identified as confidential
  • Send the media by secured courier or other delivery method that can be accurately tracked (this onus is on the sender, not the recipient - so the hotel booking agency can’t say that it is down to the hotel how they secure their incoming faxes)
  • Screen potential employees to minimize the risk of attacks from internal sources (unless the employee is a store cashier who only have access to one card number at a time)

If cardholder data is shared with service providers, then contractually the following is required:

  • Service providers must adhere to the PCI requirements (i.e. hotels must adhere)
  • Agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the provider processes

The last standard is an interesting one…. it seems to put the onus on the hotelier to adhere to PCI standards…. so perhaps this is what the hotel OTAs are relying on.

Hoteliers and their service providers really need to take care to ensure that credit card security is taken seriously.

A more recent and UK based article by the same ecommerce consultant Alex Bainbridge, highlights two further areas of breach.

"PCI is a set of standards that define how you are permitted to hold and transmit credit card data. If anyone tells you their system is secure just because they have an SSL certificate they demonstrate that they don’t really understand how security works. PCI is much more than just an SSL certificate. Compliance is mandatory for any company handling credit card details (unless you decide not to handle credit card data - e.g. by using a 3rd party payment gateway).

Here are two more processes that travel companies do that will require the agent to be PCI audited:

  1. Agent takes credit card details from customer over the phone and, while customer is on the phone, places the card details into a supplier website
  2. Agent takes credit card details from customer and instead of charging the card they give the credit card details to a supplier (for charging directly at a later time)

The first process has become “common” (or acknowledged to take place, at the least) by agents who have been banned from selling Ryanair flights. Instead of using the agency credit card the customer’s details are placed on the Ryanair website - making it difficult for Ryanair to see that the booking is an indirect booking. However, this process would require the agent to be PCI compliant (which they are unlikely to be, for this situation)…..

The second process is common in the hotel industry. The card details are often transmitted to the hotel for charging. This would require the agent and the hotel to be PCI compliant. e.g. you can’t just “email” the card details to the hotel. Faxing is also problematic.

The onus on the 3rd party. If you are a travel company that uses agents to send credit card data to you (on your behalf) then it is down to you to ensure your agents are PCI compliant.

The above is something which our tourism bodies really should be taking seriously with e-commerce workshops being funded by Scottish Enterprise and Scottish Tourism Forum across the country should we not be ensuring that PCI is placed firmly at the core of this training. It is not enough to get business e-commerce ready; they must do it with best practice and legally.

Is anyone grappling with the fact that much or the recommended e-commerce procedures being showcaseda re operating outwith PCI standards? It has become the norm and therefore no-one knows what to do about it - the result is nothing proactive happens."

As Alex states in finishing "It will just have to take a “big breach event” to bring this to everyone’s attention."

The hotel industry in Scotland need to recognise their responsibilities before one of the number is made an example of, and it will happen, sooner rather than later.

No comments: