Concierge Service

March 3, 2019

Many hotels provide concierge services which are available to book restaurant reservations, purchase theatre tickets, hire rental cars, etc. The concierge typically needs access to the guest's credit card account to perform these tasks.

Goal

  • Securely store and retrieve guest’s credit card information.
  • Do not store or process PCI-sensitive data on hotel servers.

Solution

Companies providing hotel operations systems and services integrate with the AuricVault® service as follows:

  • The hotel’s operations service collects the credit card account number at check-in.
  • The concierge retrieves data from the operations service using an embedded iFrame hosted on the AuricVault® Level 1 PCI Validated Service.
  • The credit card account number is stored in the AuricVault® service, not on the hotel’s servers.

Data Flow

Concierge service tokenization dataflow

Concierge service data flow.

Concierge service has previously created AuricVault® tokens.

  1. The Concierge Web Service requests a session ID from the AuricVault® service.
  2. The AuricVault® service generates a one-time use session ID.
  3. The Concierge Web Service provides the session ID and the AuricVault® token to the user’s browser and passes the information to a secure iFrame hosted on Auric’s PCI compliant servers.
  4. The Secure iFrame sends the session ID and AuricVault® token to the AuricVault® service, and
  5. receives back the decrypted original credit card account number.
  6. The concierge uses the retrieved credit card data to purchase theatre tickets, book dinner reservations, etc.

Security

  • Tokenization allows this data to be securely stored off-site and retrieved on demand (data separation).
  • The front-end service that tokenizes the credit card has tokenize-only credentials. That service cannot retrieve cardholder data.
  • The concierge service credentials can retrieve and also add new credit card account numbers (people sometimes want to use a different credit card).
  • The back-end operations system logs which employees access which credit cards.
  • The AuricVault® service tracks which credentials access which tokens.

Technologies Used

  • Tokenization
  • Data Separation
  • Fine-grained access control
  • Browser-side iFrame and JavaScript

Have Questions?

Contact Us

1,000 character limit.

By submitting your name, email address, phone number, and message, you are permitting us to contact you by these means in response to your inquiry or feedback. You also acknowledge that you have read our Privacy Statement and that you consent to our processing data in accordance with it.