PCI Compliance and Online Reservations

INNspiring.com | Innkeeper Forum & Innkeeping Resources

Help Support INNspiring.com | Innkeeper Forum & Innkeeping Resources:

JBloggs

Moderator
Moderator
Joined
Oct 7, 2008
Messages
17,743
Reaction score
0
All the online reservation systems are requiring PCI compliance as are our own credit card processors, and so they are all following suit.
Does anyone have a better solution handling cc's, is anyone using the paypal method (where the user does not need to have a paypal account to use it)?
Was there anything metioned at the PAII conference about this issue?
We are not allowed to store cc details on our desks, on our pcs nor certainly not in our email accounts. Is the emailing part of the card# the only solution? Most of us do not take payment in full. AT ALL. So if we are required to take the cc# now and that is that, how can we manage our bookings?
https://www.paypal.com/webapps/mpp/merchant <have a look at this
 

JBloggs

Moderator
Moderator
Joined
Oct 7, 2008
Messages
17,743
Reaction score
0
PT - I think you use this option on rezkey, can you give us a little bit of info on it please
"Seamlessly integrates online reservations & credit card and PayPal payments with your existing website"

ONLINE PAYMENTS If you sign up for PayPal you can accept payments in one of 16 different currencies. We also support PayPal Payments Pro and Authorize.net. We fully integrate with Authorize.net so you can charge cards automatically within the system, and upon a reservation request. We also integrate with Authorize.net's CIM system so you can securely store credit card numbers on Authorize.net's servers. See our FAQ about this section.
 

Hillbilly

Well-known member
Joined
Oct 22, 2011
Messages
939
Reaction score
17
Joey, that is what I just got finished doing using Reservation Key. We are all set up and I have not had to type in a CC number for a month now. The system charges the cards with Authorize.net checks their card, charges it and then stores it for us to use later. I can then click one button and charge the balance. I recommend Authorize.net for sure. For people who are not sure what this is. Its really like having to credit card machines. One at your office and one online. We use NPC for our processing company and they are a retailer of Authorize.net. It was a lot cheaper going through our current process company than setting up a new account with Authorize.net. Its going to cost us about $25 bucks extra a month for this. The time saved I think is a no brainer.
 

egoodell

Well-known member
Joined
Jun 1, 2008
Messages
3,023
Reaction score
0
At this time at Availabilityonline they do not send me the info but they send me a link and I click on it and there is al the info that I need. I print out the reservation with all the cc info and keep it in my book until they come and after they stay I shred the paper. This way I don't have it in any of my computers. I don't want to get involved with Paypal or I'll be paying them as well as the cc processors.
I consider this safer than my guests' information being emailed.
RIki
 

Madeleine

Well-known member
Joined
Sep 29, 2011
Messages
7,990
Reaction score
0
Does ResKey have a secure server where they store the cc info or are they telling you they are no longer going to allow guests to enter cc info?
We don't collect the security code any longer but we do collect the cc data. Not stored here, not on my computer, not in my office. On someone else's secure server. (Secure, I hope, if not I'm not the only person who is going to have a problem.)
I run the card right away but the data is still there until the guest checks out.
This is really no different than any online shopping website. Except that we actually delete the cc info when the guest leaves. My cc info is on tons of different sites without my permission. It should not be stored unless I request it be stored for future purchases.
Have not looked into PayPal, but some really big retailers are now using it.
 

Hillbilly

Well-known member
Joined
Oct 22, 2011
Messages
939
Reaction score
17
We just got finished updated to the new rules. From doing this I have been told by several different companies that I should never be allowed to view a full credit card number. You guy's might want to make sure of this. I no longer view any card numbers but the last 4 digits. It makes sense. What is secure about a site that I can still view credit card numbers? If the company you are using says they are compliant with the new rules and they are not. If they get shut down, you may not have access anymore to your card numbers.
 

egoodell

Well-known member
Joined
Jun 1, 2008
Messages
3,023
Reaction score
0
We just got finished updated to the new rules. From doing this I have been told by several different companies that I should never be allowed to view a full credit card number. You guy's might want to make sure of this. I no longer view any card numbers but the last 4 digits. It makes sense. What is secure about a site that I can still view credit card numbers? If the company you are using says they are compliant with the new rules and they are not. If they get shut down, you may not have access anymore to your card numbers..
Bob said:
We just got finished updated to the new rules. From doing this I have been told by several different companies that I should never be allowed to view a full credit card number. You guy's might want to make sure of this. I no longer view any card numbers but the last 4 digits. It makes sense. What is secure about a site that I can still view credit card numbers? If the company you are using says they are compliant with the new rules and they are not. If they get shut down, you may not have access anymore to your card numbers.
Availability online has been in business for about 20 years, so if they have to change something to be compliant I'm sure they will.
Riki
 

Madeleine

Well-known member
Joined
Sep 29, 2011
Messages
7,990
Reaction score
0
We just got finished updated to the new rules. From doing this I have been told by several different companies that I should never be allowed to view a full credit card number. You guy's might want to make sure of this. I no longer view any card numbers but the last 4 digits. It makes sense. What is secure about a site that I can still view credit card numbers? If the company you are using says they are compliant with the new rules and they are not. If they get shut down, you may not have access anymore to your card numbers..
You can only view the last 4, but the full card number is present. If it was not present no one would ever be able to purchase anything online and no cc numbers would ever get stolen from online retailers.
If I can't see the card number when I need it, then I am going to call the guest and write the card number on a piece of highly secure paper that will lay around in my office until I get around to shredding it.
Makes no sense.
If I get an automated system that runs the card when the guest enters it, that automated system does not delete the first 12 digits. It blocks them from viewing, but they're present and waiting to be decoded. If not, no one would ever be able to collect a payment from a guest who didn't show up.
I agree that in large operations where lots of people are doing the guest bookings it is wise to have the numbers blocked. But there is nothing stopping anyone from writing the number down as they are entering it so the system still isn't theft-proof.
 

Hillbilly

Well-known member
Joined
Oct 22, 2011
Messages
939
Reaction score
17
We just got finished updated to the new rules. From doing this I have been told by several different companies that I should never be allowed to view a full credit card number. You guy's might want to make sure of this. I no longer view any card numbers but the last 4 digits. It makes sense. What is secure about a site that I can still view credit card numbers? If the company you are using says they are compliant with the new rules and they are not. If they get shut down, you may not have access anymore to your card numbers..
You can only view the last 4, but the full card number is present. If it was not present no one would ever be able to purchase anything online and no cc numbers would ever get stolen from online retailers.
If I can't see the card number when I need it, then I am going to call the guest and write the card number on a piece of highly secure paper that will lay around in my office until I get around to shredding it.
Makes no sense.
If I get an automated system that runs the card when the guest enters it, that automated system does not delete the first 12 digits. It blocks them from viewing, but they're present and waiting to be decoded. If not, no one would ever be able to collect a payment from a guest who didn't show up.
I agree that in large operations where lots of people are doing the guest bookings it is wise to have the numbers blocked. But there is nothing stopping anyone from writing the number down as they are entering it so the system still isn't theft-proof.
.
If you use Authorize.net you don't need to view the card. You just click a little button that says. "Charge Card". Done! I don't need to view the card number. You can then use your CIM to refund if needed. Simple!
javascript:void(0)
 

Hillbilly

Well-known member
Joined
Oct 22, 2011
Messages
939
Reaction score
17
We just got finished updated to the new rules. From doing this I have been told by several different companies that I should never be allowed to view a full credit card number. You guy's might want to make sure of this. I no longer view any card numbers but the last 4 digits. It makes sense. What is secure about a site that I can still view credit card numbers? If the company you are using says they are compliant with the new rules and they are not. If they get shut down, you may not have access anymore to your card numbers..
Bob said:
We just got finished updated to the new rules. From doing this I have been told by several different companies that I should never be allowed to view a full credit card number. You guy's might want to make sure of this. I no longer view any card numbers but the last 4 digits. It makes sense. What is secure about a site that I can still view credit card numbers? If the company you are using says they are compliant with the new rules and they are not. If they get shut down, you may not have access anymore to your card numbers.
Availability online has been in business for about 20 years, so if they have to change something to be compliant I'm sure they will.
Riki
.
Just be careful. A lot of software companies no longer want the hassle of trying to keep card info safe and are now making the customers have another company handle that for them. Kinda like what Reservation Key did. They now use Authorize.net to store the cards for them.
 

Madeleine

Well-known member
Joined
Sep 29, 2011
Messages
7,990
Reaction score
0
We just got finished updated to the new rules. From doing this I have been told by several different companies that I should never be allowed to view a full credit card number. You guy's might want to make sure of this. I no longer view any card numbers but the last 4 digits. It makes sense. What is secure about a site that I can still view credit card numbers? If the company you are using says they are compliant with the new rules and they are not. If they get shut down, you may not have access anymore to your card numbers..
You can only view the last 4, but the full card number is present. If it was not present no one would ever be able to purchase anything online and no cc numbers would ever get stolen from online retailers.
If I can't see the card number when I need it, then I am going to call the guest and write the card number on a piece of highly secure paper that will lay around in my office until I get around to shredding it.
Makes no sense.
If I get an automated system that runs the card when the guest enters it, that automated system does not delete the first 12 digits. It blocks them from viewing, but they're present and waiting to be decoded. If not, no one would ever be able to collect a payment from a guest who didn't show up.
I agree that in large operations where lots of people are doing the guest bookings it is wise to have the numbers blocked. But there is nothing stopping anyone from writing the number down as they are entering it so the system still isn't theft-proof.
.
If you use Authorize.net you don't need to view the card. You just click a little button that says. "Charge Card". Done! I don't need to view the card number. You can then use your CIM to refund if needed. Simple!
javascript:void(0)
.
I will look into that, thanks.
 

Hillbilly

Well-known member
Joined
Oct 22, 2011
Messages
939
Reaction score
17
We just got finished updated to the new rules. From doing this I have been told by several different companies that I should never be allowed to view a full credit card number. You guy's might want to make sure of this. I no longer view any card numbers but the last 4 digits. It makes sense. What is secure about a site that I can still view credit card numbers? If the company you are using says they are compliant with the new rules and they are not. If they get shut down, you may not have access anymore to your card numbers..
You can only view the last 4, but the full card number is present. If it was not present no one would ever be able to purchase anything online and no cc numbers would ever get stolen from online retailers.
If I can't see the card number when I need it, then I am going to call the guest and write the card number on a piece of highly secure paper that will lay around in my office until I get around to shredding it.
Makes no sense.
If I get an automated system that runs the card when the guest enters it, that automated system does not delete the first 12 digits. It blocks them from viewing, but they're present and waiting to be decoded. If not, no one would ever be able to collect a payment from a guest who didn't show up.
I agree that in large operations where lots of people are doing the guest bookings it is wise to have the numbers blocked. But there is nothing stopping anyone from writing the number down as they are entering it so the system still isn't theft-proof.
.
If you use Authorize.net you don't need to view the card. You just click a little button that says. "Charge Card". Done! I don't need to view the card number. You can then use your CIM to refund if needed. Simple!
javascript:void(0)
.
I will look into that, thanks.
.
It will save you so much time! It has been a great upgrade! I was really confused on how the whole thing worked. It took me a little time to get set up. If you need anymore advice on this you are more than welcome to call me!
 

egoodell

Well-known member
Joined
Jun 1, 2008
Messages
3,023
Reaction score
0
We just got finished updated to the new rules. From doing this I have been told by several different companies that I should never be allowed to view a full credit card number. You guy's might want to make sure of this. I no longer view any card numbers but the last 4 digits. It makes sense. What is secure about a site that I can still view credit card numbers? If the company you are using says they are compliant with the new rules and they are not. If they get shut down, you may not have access anymore to your card numbers..
Bob said:
We just got finished updated to the new rules. From doing this I have been told by several different companies that I should never be allowed to view a full credit card number. You guy's might want to make sure of this. I no longer view any card numbers but the last 4 digits. It makes sense. What is secure about a site that I can still view credit card numbers? If the company you are using says they are compliant with the new rules and they are not. If they get shut down, you may not have access anymore to your card numbers.
Availability online has been in business for about 20 years, so if they have to change something to be compliant I'm sure they will.
Riki
.
Just be careful. A lot of software companies no longer want the hassle of trying to keep card info safe and are now making the customers have another company handle that for them. Kinda like what Reservation Key did. They now use Authorize.net to store the cards for them.
.
Bob said:
Just be careful. A lot of software companies no longer want the hassle of trying to keep card info safe and are now making the customers have another company handle that for them. Kinda like what Reservation Key did. They now use Authorize.net to store the cards for them.
If this gets any more complicated I'm going to require they send the deposit in a check and pay the final with a credit card. I l already have then send the tour deposits with a check. Going to a third party to hold the cc info - that has to be another percentage charge over the processing. And half the time these big companies get hacked anyway.
I'll have to wait and see.
RIki
 

Arks

Well-known member
Joined
May 22, 2010
Messages
6,209
Reaction score
243
Like Bob, we're using Reservation_Key and John at RezKey said we'd need to pay an extra $25/month to get the Authorize.net "CIM"...Customer Registration Manager. Here's what the Authorize.net website says about the CIM:
The Authorize.Net Customer Information Manager (CIM) allows you to store customers' sensitive payment information on our secure servers, simplifying your compliance with the Payment Card Industry Data Security Standard (PCI DSS) as well as the payments process for returning customers and recurring transactions.
So, the data is secured by Authorize.Net, not RezKey. To collect payments later, after the reservation is made, you click to do it in RezKey and RezKey tells Authorize.Net (where the full CC number is stored) to charge the card and put the money in our account.
Click the link below for more CIM info from Authorize.net
John at RezKey says he's in negotiations to get other, cheaper solutions that meet the requirements without the higher cost of the Authorize.Net solution.
http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/
 

Arks

Well-known member
Joined
May 22, 2010
Messages
6,209
Reaction score
243
Joey Bloggs said:
Was there anything metioned at the PAII conference about this issue?
And no, this was not mentioned, at least at any of the lectures I attended.
 

Tx RH

Member
Joined
Aug 13, 2009
Messages
6
Reaction score
0
Joey Bloggs said:
Does anyone have a better solution handling cc's, is anyone using the paypal method (where the user does not need to have a paypal account to use it)?
https://www.paypal.com/webapps/mpp/merchant
<have a look at this
I have been doing this for my parent's B&B for a couple of years now. It allowed them to have guests pay by credit card without them having to handle the credit card processing. They don't get a lot of guests, as some of you do. I create the invoices via paypal and send them to the guests (email). The guest does not have to have a paypal account. We just get the email when they have paid.
They are the only B&B in their area that accepts credit card payment, so I think it has helped them get more bookings. They would rather not have the guests pay that way, as it does eat up 2.9% + $0.30. The B&B requires the first night paid to reserve the reservation. They can send a check or use paypal. If they cancel out far enough for our policies, paypal allows a full refund within 90 days. Otherwise, there is a transaction fee for that.
paypal also has a 20% reserve that they hold for 60 days.
I think it is fine for the limited times a month that I have to do it for them. If you do a bunch of credit card business, then it probably isn't for you.
 

Copperhead

Well-known member
Joined
Jun 24, 2008
Messages
5,968
Reaction score
0
This is very timely for me. I have been with Webers for years but do to many of the changes of late, I am testing other avenues - Res Key being one.
What I believe Webers does is store the first 12 digits on a different server, the last 4 and the other info is stored on the site. When you log in and request the remaining CC# it is sent via email and this is available in this method ANYtime until after the guest checks out. So NO need to store any data anywhere and it is PCI compliant because the complete number is not stored in one single location. (I think this is what most online companies due when you purchase repeatedly from them)
ResKey has just changed this part of their system. Now they only store the last 4digits of the CC# and the system sends an email with the first 12 digits to you in an email upon booking. The difference is that ResKey only provides this data ONCE via email, it is not stored or available in any way on their system.
This was a problem with me today as I was not aware of this fact and thought it was like Webers & that I could get the data when I needed it anytime up until check-out - so I had not saved the emails. John was able to help solve my problem very quickly and I am now on the right track. (I did stress his need to update his help pages to include the new policy, one he will probably do very soon.)
How to keep PCI compliant using ResKey is to store the emails containing the 12 digits and then go to the system to pull the remaining info. This keeps everyone compliant as no one stores the entire card number.
One reason I am looking at other avenues is because I feel that the owners of Webers are working to get people to jump to one of their other systems, ones with online payments etc. This is NOT what I want to do & there are several reasons for that. In testing ResKey I was NOT pushed to use Paypal or Authorize, John suggested it in an email but that is that. He did not say I needed to do this and in speaking with him, I do not think he would be that bold as to say that is what I should (or must) do.
I have looked into Paypal and Authorize before (not recently, I admit) both were far more expensive to use and by using Authorize, you are then adding another layer to an already growing tier between your business and receiving your payment. In a world of K.I.S.S. this does not seem to do so, and more money never making it to your pocket. At the time I looked into paypal they had some very odd rules, like having to keep a balance and rules about how and when you could withdraw your money. Even if they have changed the rules, I do not feel comfortable using them for my business.
 

Joey Camb

Well-known member
Joined
Apr 2, 2010
Messages
4,793
Reaction score
0
Joey Bloggs said:
Does anyone have a better solution handling cc's, is anyone using the paypal method (where the user does not need to have a paypal account to use it)?
https://www.paypal.com/webapps/mpp/merchant
<have a look at this
I have been doing this for my parent's B&B for a couple of years now. It allowed them to have guests pay by credit card without them having to handle the credit card processing. They don't get a lot of guests, as some of you do. I create the invoices via paypal and send them to the guests (email). The guest does not have to have a paypal account. We just get the email when they have paid.
They are the only B&B in their area that accepts credit card payment, so I think it has helped them get more bookings. They would rather not have the guests pay that way, as it does eat up 2.9% + $0.30. The B&B requires the first night paid to reserve the reservation. They can send a check or use paypal. If they cancel out far enough for our policies, paypal allows a full refund within 90 days. Otherwise, there is a transaction fee for that.
paypal also has a 20% reserve that they hold for 60 days.
I think it is fine for the limited times a month that I have to do it for them. If you do a bunch of credit card business, then it probably isn't for you..
from other forums I belong to I think if you are a very small operation ie one or two rooms or you are doing it more as a lifestyle business (this is not a criticism just a different way of doing business) then this could be a very cost effective way for you of doing business and taking cards. For example I know a lady who does BB occasionally in her spare room for extra cash this would be very handy for her as she could then take payment in advance. It is all about making it the best fit for you. Also for your parents it means they can offer taking cards when no one else does for a relatively inexpensive amount compared to hiring a machine and probably gives them a small edge. For myself I get a lot of business guests and they are restircted to paying on the company card for expenses purposes so I would loose a lot of business if I didn't. Also because I am a larger property I am VAT rated (you have to turnover more than a certain amount to have to pay this fun tax) but it means my guests if they are business ones can claim 20% back off their bill from the government in smaller places they can't which gives me an edge of charging the same price but really being 20% cheaper without actually having to do anything!
 

egoodell

Well-known member
Joined
Jun 1, 2008
Messages
3,023
Reaction score
0
Like Bob, we're using Reservation_Key and John at RezKey said we'd need to pay an extra $25/month to get the Authorize.net "CIM"...Customer Registration Manager. Here's what the Authorize.net website says about the CIM:
The Authorize.Net Customer Information Manager (CIM) allows you to store customers' sensitive payment information on our secure servers, simplifying your compliance with the Payment Card Industry Data Security Standard (PCI DSS) as well as the payments process for returning customers and recurring transactions.
So, the data is secured by Authorize.Net, not RezKey. To collect payments later, after the reservation is made, you click to do it in RezKey and RezKey tells Authorize.Net (where the full CC number is stored) to charge the card and put the money in our account.
Click the link below for more CIM info from Authorize.net
John at RezKey says he's in negotiations to get other, cheaper solutions that meet the requirements without the higher cost of the Authorize.Net solution.
http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/.
Arkansawyer said:
Like Bob, we're using Reservation_Key and John at RezKey said we'd need to pay an extra $25/month to get the Authorize.net "CIM"...Customer Registration Manager. Here's what the Authorize.net website says about the CIM:
The Authorize.Net Customer Information Manager (CIM) allows you to store customers' sensitive payment information on our secure servers, simplifying your compliance with the Payment Card Industry Data Security Standard (PCI DSS) as well as the payments process for returning customers and recurring transactions.
So, the data is secured by Authorize.Net, not RezKey. To collect payments later, after the reservation is made, you click to do it in RezKey and RezKey tells Authorize.Net (where the full CC number is stored) to charge the card and put the money in our account.
Click the link below for more CIM info from Authorize.net
John at RezKey says he's in negotiations to get other, cheaper solutions that meet the requirements without the higher cost of the Authorize.Net solution.
http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/
there you go - another monthly bill. I was wondering what the charge for Authorize.net would be. I'm going over the edge and am considering seriously asking for deposit by means of check. I may be able to pull this off because I'm in a destination location and they want the wine tours. They already send checks for the wine tours outside my B&B that I pick up at. Of course if I get a no show I may have a problem.
RIki
 

Madeleine

Well-known member
Joined
Sep 29, 2011
Messages
7,990
Reaction score
0
Like Bob, we're using Reservation_Key and John at RezKey said we'd need to pay an extra $25/month to get the Authorize.net "CIM"...Customer Registration Manager. Here's what the Authorize.net website says about the CIM:
The Authorize.Net Customer Information Manager (CIM) allows you to store customers' sensitive payment information on our secure servers, simplifying your compliance with the Payment Card Industry Data Security Standard (PCI DSS) as well as the payments process for returning customers and recurring transactions.
So, the data is secured by Authorize.Net, not RezKey. To collect payments later, after the reservation is made, you click to do it in RezKey and RezKey tells Authorize.Net (where the full CC number is stored) to charge the card and put the money in our account.
Click the link below for more CIM info from Authorize.net
John at RezKey says he's in negotiations to get other, cheaper solutions that meet the requirements without the higher cost of the Authorize.Net solution.
http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/.
Arkansawyer said:
Like Bob, we're using Reservation_Key and John at RezKey said we'd need to pay an extra $25/month to get the Authorize.net "CIM"...Customer Registration Manager. Here's what the Authorize.net website says about the CIM:
The Authorize.Net Customer Information Manager (CIM) allows you to store customers' sensitive payment information on our secure servers, simplifying your compliance with the Payment Card Industry Data Security Standard (PCI DSS) as well as the payments process for returning customers and recurring transactions.
So, the data is secured by Authorize.Net, not RezKey. To collect payments later, after the reservation is made, you click to do it in RezKey and RezKey tells Authorize.Net (where the full CC number is stored) to charge the card and put the money in our account.
Click the link below for more CIM info from Authorize.net
John at RezKey says he's in negotiations to get other, cheaper solutions that meet the requirements without the higher cost of the Authorize.Net solution.
http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/
there you go - another monthly bill. I was wondering what the charge for Authorize.net would be. I'm going over the edge and am considering seriously asking for deposit by means of check. I may be able to pull this off because I'm in a destination location and they want the wine tours. They already send checks for the wine tours outside my B&B that I pick up at. Of course if I get a no show I may have a problem.
RIki
.
I wonder if paying that means I don't have to pay the 'insurance' policy the cc processor bills me for every year?
 
Top