Many hotels provide concierge services which are available to book restaurant reservations, purchase theatre tickets, hire rental cars, etc. The concierge typically needs access to the guest's credit card account to perform these tasks.
Goal
- Securely store and retrieve guest’s credit card information.
- Do not store or process PCI-sensitive data on hotel servers.
Solution
Companies providing hotel operations systems and services integrate with the AuricVault® service as follows:
- The hotel’s operations service collects the credit card account number at check-in.
- The concierge retrieves data from the operations service using an embedded iFrame hosted on the AuricVault® Level 1 PCI Validated Service.
- The credit card account number is stored in the AuricVault® service, not on the hotel’s servers.
Data Flow
Concierge service data flow.
Concierge service has previously created AuricVault® tokens.
- The Concierge Web Service requests a session ID from the AuricVault® service.
- The AuricVault® service generates a one-time use session ID.
- The Concierge Web Service provides the session ID and the AuricVault® token to the user’s browser and passes the information to a secure iFrame hosted on Auric’s PCI compliant servers.
- The Secure iFrame sends the session ID and AuricVault® token to the AuricVault® service, and
- receives back the decrypted original credit card account number.
- The concierge uses the retrieved credit card data to purchase theatre tickets, book dinner reservations, etc.
Security
- Tokenization allows this data to be securely stored off-site and retrieved on demand (data separation).
- The front-end service that tokenizes the credit card has tokenize-only credentials. That service cannot retrieve cardholder data.
- The concierge service credentials can retrieve and also add new credit card account numbers (people sometimes want to use a different credit card).
- The back-end operations system logs which employees access which credit cards.
- The AuricVault® service tracks which credentials access which tokens.
Technologies Used
- Tokenization
- Data Separation
- Fine-grained access control
- Browser-side iFrame and JavaScript