PCI Compliance and Online Reservations

23 replies [Last post]
Offline
Joined:
10/07/2008

All the online reservation systems are requiring PCI compliance as are our own credit card processors, and so they are all following suit.

Does anyone have a better solution handling cc's, is anyone using the paypal method (where the user does not need to have a paypal account to use it)?

Was there anything metioned at the PAII conference about this issue?

We are not allowed to store cc details on our desks, on our pcs nor certainly not in our email accounts. Is the emailing part of the card# the only solution? Most of us do not take payment in full. AT ALL. So if we are required to take the cc# now and that is that, how can we manage our bookings?

https://www.paypal.com/webapps/mpp/merchant <have a look at this

__________________

Gluten free is never free. - Joey Bloggs

 

Offline
Joined:
06/24/2008

This is very timely for me.  I have been with Webers for years but do to many of the changes of late, I am testing other avenues - Res Key being one. 

What I believe Webers does is store the first 12 digits on a different server, the last 4 and the other info is stored on the site.  When you log in and request the remaining CC# it is sent via email and this is available in this method ANYtime until after the guest checks out.  So NO need to store any data anywhere and it is PCI compliant because the complete number is not stored in one single location.  (I think this is what most online companies due when you purchase repeatedly from them)

ResKey has just changed this part of their system.  Now they only store the last 4digits of the CC# and the system sends an email with the first 12 digits to you in an email upon booking.  The difference is that ResKey only provides this data ONCE via email, it is not stored or available in any way on their system.

This was a problem with me today as I was not aware of this fact and thought it was like Webers & that I could get the data when I needed it anytime up until check-out - so I had not saved the emails.  John was able to help solve my problem very quickly and I am now on the right track.  (I did stress his need to update his help pages to include the new policy, one he will probably do very soon.)

How to keep PCI compliant using ResKey is to store the emails containing the 12 digits and then go to the system to pull the remaining info.  This keeps everyone compliant as no one stores the entire card number. 

One reason I am looking at other avenues is because I feel that the owners of Webers are working to get people to jump to one of their other systems, ones with online payments etc.  This is NOT what I want to do & there are several reasons for that.  In testing ResKey I was NOT pushed to use Paypal or Authorize, John suggested it in an email but that is that.  He did not say I needed to do this and in speaking with him, I do not think he would be that bold as to say that is what I should (or must) do.   

I have looked into Paypal and Authorize before (not recently, I admit) both were far more expensive to use and by using Authorize, you are then adding another layer to an already growing tier between your business and receiving your payment.  In a world of K.I.S.S. this does not seem to do so, and more money never making it to your pocket.  At the time I looked into paypal they had some very odd rules, like having to keep a balance and rules about how and when you could withdraw your money.  Even if they have changed the rules, I do not feel comfortable using them for my business. 

Tx RH's picture
Offline
Joined:
08/13/2009

Joey Bloggs wrote:

Does anyone have a better solution handling cc's, is anyone using the paypal method (where the user does not need to have a paypal account to use it)?

https://www.paypal.com/webapps/mpp/merchant

 <have a look at this

I have been doing this for my parent's B&B for a couple of years now.  It allowed them to have guests pay by credit card without them having to handle the credit card processing.  They don't get a lot of guests, as some of you do.  I create the invoices via paypal and send them to the guests (email).  The guest does not have to have a paypal account.  We just get the email when they have paid.

They are the only B&B in their area that accepts credit card payment, so I think it has helped them get more bookings.  They would rather not have the guests pay that way, as it does eat up 2.9% + $0.30.  The B&B requires the first night paid to reserve the reservation.  They can send a check or use paypal.  If they cancel out far enough for our policies, paypal allows a full refund within 90 days.  Otherwise, there is a transaction fee for that.

paypal also has a 20% reserve that they hold for 60 days.

I think it is fine for the limited times a month that I have to do it for them.  If you do a bunch of credit card business, then it probably isn't for you.

 

Joey Camb's picture
Offline
Joined:
04/02/2010

from other forums I belong to I think if you are a very small operation ie one or two rooms or you are doing it more as a lifestyle business (this is not a criticism just a different way of doing business) then this could be a very cost effective way for you of doing business and taking cards. For example I know a lady who does BB occasionally in her spare room for extra cash this would be very handy for her as she could then take payment in advance. It is all about making it the best fit for you. Also for your parents it means they can offer taking cards when no one else does for a relatively inexpensive amount compared to hiring a machine and probably gives them a small edge. For myself I get a lot of business guests and they are restircted to paying on the company card for expenses purposes so I would loose a lot of business if I didn't. Also because I am a larger property I am VAT rated (you have to turnover more than a certain amount to have to pay this fun tax) but it means my guests if they are business ones can claim 20% back off their bill from the government in smaller places they can't which gives me an edge of charging the same price but really being 20% cheaper without actually having to do anything!

__________________

Don't mess with me today or I will kill you!!!!

 

Arks's picture
Offline
Joined:
05/22/2010

Joey Bloggs wrote:

Was there anything metioned at the PAII conference about this issue?

And no, this was not mentioned, at least at any of the lectures I attended.

__________________

All saints can do miracles, but few of them can keep hotel. ~ Mark Twain

 

Arks's picture
Offline
Joined:
05/22/2010

Like Bob, we're using Reservation_Key and John at RezKey said we'd need to pay an extra $25/month to get the Authorize.net "CIM"...Customer Registration Manager. Here's what the Authorize.net website says about the CIM:

The Authorize.Net Customer Information Manager (CIM) allows you to store customers' sensitive payment information on our secure servers, simplifying your compliance with the Payment Card Industry Data Security Standard (PCI DSS) as well as the payments process for returning customers and recurring transactions.

So, the data is secured by Authorize.Net, not RezKey. To collect payments later, after the reservation is made, you click to do it in RezKey and RezKey tells Authorize.Net (where the full CC number is stored) to charge the card and put the money in our account.

Click the link below for more CIM info from Authorize.net

John at RezKey says he's in negotiations to get other, cheaper solutions that meet the requirements without the higher cost of the Authorize.Net solution.

http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/

egoodell's picture
Offline
Joined:
06/01/2008

Arkansawyer wrote:

Like Bob, we're using Reservation_Key and John at RezKey said we'd need to pay an extra $25/month to get the Authorize.net "CIM"...Customer Registration Manager. Here's what the Authorize.net website says about the CIM:

The Authorize.Net Customer Information Manager (CIM) allows you to store customers' sensitive payment information on our secure servers, simplifying your compliance with the Payment Card Industry Data Security Standard (PCI DSS) as well as the payments process for returning customers and recurring transactions.

So, the data is secured by Authorize.Net, not RezKey. To collect payments later, after the reservation is made, you click to do it in RezKey and RezKey tells Authorize.Net (where the full CC number is stored) to charge the card and put the money in our account.

Click the link below for more CIM info from Authorize.net

John at RezKey says he's in negotiations to get other, cheaper solutions that meet the requirements without the higher cost of the Authorize.Net solution.

http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/

 

there you go - another monthly bill. I was wondering what the charge for Authorize.net would be. I'm going over the edge and am considering seriously asking for deposit by means of check. I may be able to pull this off because I'm in a destination location and they want the wine tours. They already send checks for the wine tours outside my B&B that I pick up at. Of course if I get a no show I may have a problem.

RIki

__________________

Riki Goodell
Arcady Vineyard Bed & Breakfast
Arcady Vineyard Wine Tours
www.arcadyvineyard.com
Come! Let us show you the beautiful Monticello Appellation!

 

Offline
Joined:
08/04/2008

egoodell wrote:

 

there you go - another monthly bill. I was wondering what the charge for Authorize.net would be. I'm going over the edge and am considering seriously asking for deposit by means of check. I may be able to pull this off because I'm in a destination location and they want the wine tours. They already send checks for the wine tours outside my B&B that I pick up at. Of course if I get a no show I may have a problem.

RIki

 

Am I the only one who is seeing the irony on going back to taking checks??  I realize that you may have never taken checks as deposit, but the Inn I worked for took them as the deposits for YEARS. And Years. Just seems like the more we think we are moving forward, the more we are actually moving backwards....

egoodell's picture
Offline
Joined:
06/01/2008

Penelope wrote:

egoodell wrote:

 

there you go - another monthly bill. I was wondering what the charge for Authorize.net would be. I'm going over the edge and am considering seriously asking for deposit by means of check. I may be able to pull this off because I'm in a destination location and they want the wine tours. They already send checks for the wine tours outside my B&B that I pick up at. Of course if I get a no show I may have a problem.

RIki

 

Am I the only one who is seeing the irony on going back to taking checks??  I realize that you may have never taken checks as deposit, but the Inn I worked for took them as the deposits for YEARS. And Years. Just seems like the more we think we are moving forward, the more we are actually moving backwards....

 

 

Requiring checks for deposit will lose me customers, that is the only problem. That's why I have not gone to doing it for deposits. But I just might try. But many don't write them anymore - I have not in quite a while. Many will not take the time or effort to write it and mail it.

RIki

Offline
Joined:
08/04/2008

egoodell wrote:

Penelope wrote:

egoodell wrote:

 

there you go - another monthly bill. I was wondering what the charge for Authorize.net would be. I'm going over the edge and am considering seriously asking for deposit by means of check. I may be able to pull this off because I'm in a destination location and they want the wine tours. They already send checks for the wine tours outside my B&B that I pick up at. Of course if I get a no show I may have a problem.

RIki

 

Am I the only one who is seeing the irony on going back to taking checks??  I realize that you may have never taken checks as deposit, but the Inn I worked for took them as the deposits for YEARS. And Years. Just seems like the more we think we are moving forward, the more we are actually moving backwards....

 

 

Requiring checks for deposit will lose me customers, that is the only problem. That's why I have not gone to doing it for deposits. But I just might try. But many don't write them anymore - I have not in quite a while. Many will not take the time or effort to write it and mail it.

RIki


 

So, technically, the reservation isn't even complete until you not only receive the check, but deposit it AND it clears....I am not asking this to be a smart-alek, but what if it doesn't clear? And the reservation date is this close (picture me putting my finger and thumb very close together) ? How would you go about filling that room 7 days away if it takes, realistically, 10, for you to get the check and have the funds clear?

egoodell's picture
Offline
Joined:
06/01/2008

Penelope wrote:

egoodell wrote:

Penelope wrote:

egoodell wrote:

 

there you go - another monthly bill. I was wondering what the charge for Authorize.net would be. I'm going over the edge and am considering seriously asking for deposit by means of check. I may be able to pull this off because I'm in a destination location and they want the wine tours. They already send checks for the wine tours outside my B&B that I pick up at. Of course if I get a no show I may have a problem.

RIki

 

Am I the only one who is seeing the irony on going back to taking checks??  I realize that you may have never taken checks as deposit, but the Inn I worked for took them as the deposits for YEARS. And Years. Just seems like the more we think we are moving forward, the more we are actually moving backwards....

 

 

Requiring checks for deposit will lose me customers, that is the only problem. That's why I have not gone to doing it for deposits. But I just might try. But many don't write them anymore - I have not in quite a while. Many will not take the time or effort to write it and mail it.

RIki


 

So, technically, the reservation isn't even complete until you not only receive the check, but deposit it AND it clears....I am not asking this to be a smart-alek, but what if it doesn't clear? And the reservation date is this close (picture me putting my finger and thumb very close together) ? How would you go about filling that room 7 days away if it takes, realistically, 10, for you to get the check and have the funds clear?

We use check deposits for the tours and have not had any problems. We require the check in advance so it is deposited and cleared out enough that it would not matter. If it bounced we would not confirm the tour.  

But, it is no different to me than the person who cancelled at the last minute and cancelled their credit card so we could not charge them.

Plus, most people who book to stay at an inn that costs $250-$275 a night don't want a bounced check on their bank records.

Some inns here have been running on check deposits for years with far fewer problems than when they switched to cc deposits. And some required the FULL payment by check in advance. 

We don't usually take last minute bookings anyway as the weekend bookings include the wine tours which require shopping for fresh cheese and fruit. I only take them right now during the slow season until March.

RIki

Madeleine's picture
Offline
Joined:
09/29/2011

I wonder if paying that means I don't have to pay the 'insurance' policy the cc processor bills me for every year?

__________________

Everyday, for good or ill, we intersect with some else's story and become a part of it.

 

Hillbilly's picture
Offline
Joined:
10/22/2011

We just got finished updated to the new rules. From doing this I have been told by several different companies that I should never be allowed to view a full credit card number. You guy's might want to make sure of this. I no longer view any card numbers but the last 4 digits. It makes sense. What is secure about a site that I can still view credit card numbers? If the company you are using says they are compliant with the new rules and they are not. If they get shut down, you may not have access anymore to your card numbers.

__________________

Hillbilly

 

Madeleine's picture
Offline
Joined:
09/29/2011

You can only view the last 4, but the full card number is present. If it was not present no one would ever be able to purchase anything online and no cc numbers would ever get stolen from online retailers.

If I can't see the card number when I need it, then I am going to call the guest and write the card number on a piece of highly secure paper that will lay around in my office until I get around to shredding it.

Makes no sense.

If I get an automated system that runs the card when the guest enters it, that automated system does not delete the first 12 digits. It blocks them from viewing, but they're present and waiting to be decoded. If not, no one would ever be able to collect a payment from a guest who didn't show up.

I agree that in large operations where lots of people are doing the guest bookings it is wise to have the numbers blocked. But there is nothing stopping anyone from writing the number down as they are entering it so the system still isn't theft-proof.

Hillbilly's picture
Offline
Joined:
10/22/2011

If you use Authorize.net you don't need to view the card.  You just click a little button that says. "Charge Card". Done! I don't need to view the card number.  You can then use your CIM to refund if needed. Simple!

Madeleine's picture
Offline
Joined:
09/29/2011

I will look into that, thanks.

Hillbilly's picture
Offline
Joined:
10/22/2011

It will save you so much time! It has been a great upgrade! I was really confused on how the whole thing worked. It took me a little time to get set up. If you need anymore advice on this you are more than welcome to call me!

egoodell's picture
Offline
Joined:
06/01/2008

Bob wrote:
We just got finished updated to the new rules. From doing this I have been told by several different companies that I should never be allowed to view a full credit card number. You guy's might want to make sure of this. I no longer view any card numbers but the last 4 digits. It makes sense. What is secure about a site that I can still view credit card numbers? If the company you are using says they are compliant with the new rules and they are not. If they get shut down, you may not have access anymore to your card numbers.

Availability online has been in business for about 20 years, so if they have to change something to be compliant I'm sure they will.

Riki

Hillbilly's picture
Offline
Joined:
10/22/2011

Just be careful.  A lot of software companies no longer want the hassle of trying to keep card info safe and are now making the customers have another company handle that for them.  Kinda like what Reservation Key did. They now use Authorize.net to store the cards for them.

egoodell's picture
Offline
Joined:
06/01/2008

Bob wrote:

Just be careful.  A lot of software companies no longer want the hassle of trying to keep card info safe and are now making the customers have another company handle that for them.  Kinda like what Reservation Key did. They now use Authorize.net to store the cards for them.

If this gets any more complicated I'm going to require they send the deposit in a check and pay the final with a credit card. I l already have then send the tour deposits with a check. Going to a third party to hold the cc info - that has to be another percentage charge over the processing. And half the time these big companies get hacked anyway.

I'll have to wait and see.

RIki

Madeleine's picture
Offline
Joined:
09/29/2011

Does ResKey have a secure server where they store the cc info or are they telling you they are no longer going to allow guests to enter cc info?

We don't collect the security code any longer but we do collect the cc data. Not stored here, not on my computer, not in my office. On someone else's secure server. (Secure, I hope, if not I'm not the only person who is going to have a problem.)

I run the card right away but the data is still there until the guest checks out.

This is really no different than any online shopping website. Except that we actually delete the cc info when the guest leaves. My cc info is on tons of different sites without my permission. It should not be stored unless I request it be stored for future purchases.

Have not looked into PayPal, but some really big retailers are now using it.

egoodell's picture
Offline
Joined:
06/01/2008

 At this time at Availabilityonline they do not send me the info but they send me a link and I click on it and there is al the info that I need. I print out the reservation with all the cc info and keep it in my book until they come and after they stay I shred the paper. This way I don't have it in any of my computers. I don't want to get involved with Paypal or I'll be paying them as well as the cc processors.

I consider this safer than my guests' information being emailed.

RIki

Hillbilly's picture
Offline
Joined:
10/22/2011

Joey, that is what I just got finished doing using Reservation Key. We are all set up and I have not had to type in a CC number for a month now. The system charges the cards with Authorize.net checks their card, charges it and then stores it for us to use later. I can then click one button and charge the balance. I recommend Authorize.net for sure. For people who are not sure what this is. Its really like having to credit card machines. One at your office and one online. We use NPC for our processing company and they are a retailer of Authorize.net. It was a lot cheaper going through our current process company than setting up a new account with Authorize.net. Its going to cost us about $25 bucks extra a month for this. The time saved I think is a no brainer.

Offline
Joined:
10/07/2008

 PT - I think you use this option on rezkey, can you give us a little bit of info on it please

"Seamlessly integrates online reservations & credit card and PayPal payments with your existing website"


ONLINE PAYMENTS If you sign up for PayPal you can accept payments in one of 16 different currencies. We also support PayPal Payments Pro and Authorize.net. We fully integrate with Authorize.net so you can charge cards automatically within the system, and upon a reservation request. We also integrate with Authorize.net's CIM system so you can securely store credit card numbers on Authorize.net's servers. See our FAQ about this section.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.