PCI Proxy Service for Hospitality

January 1, 2019

Online Travel Agencies (OTAs) such as Booking.com, Expedia, etc. provide a web-based application programming interface (API) through which Property Managers, Channel Managers, hotels, and other hospitality services such as rental car companies retrieve booking information.

The retrieved booking information frequently contains credit card account numbers.

Goal

Comply with the Payment Card Industry Data Security Standard (PCI-DSS) requirements by removing the credit card account number from the Channel Manager’s data flow.

Solution

Auric's PCI compliant Proxy4PCI option transparently tokenizes credit card data received from online travel agencies (OTAs).

  • Auric’s Proxy4PCI option transparently tokenizes OTA transactions. 
  • Credit card information is removed from the Property and Channel Manager’s data flow.
  • Removing credit cards from the data flow reduces the PCI compliance scope.
     

Data Flow

ProxyPCI tokenization dataflow.

The Proxy4PCI option's tokenized data flow.

  1. The Channel Manager (or Hotel) sends an Online Travel Agency request to the Auric Proxy4PCI option looking for customer reservations.
  2. The proxy service forwards that request to the Online Travel Agency.
  3. The Online Travel Agency responds with booking information.
  4. The proxy service scans the response and sends all the plaintext credit card account numbers to the AuricVault® service.
  5. The AuricVault® service securely stores the credit card account number and returns an AuricVault® token to the Proxy4PCI option.
  6. TheProxy4PCI option replaces the credit card account number with the token, then returns the tokenized response to the Channel Manager.
  7. The tokenized data is retrieved by an individual hotel, B&B, lodging facility, or car rental agency.
  8. The hotel sends the token to the AuricVault® service and,
  9. receives back the original (detokenized) credit card account number.

Security

  • Removing the credit card account numbers from the OTA response reduces Channel Managers PCI footprint.
  • Hotels, management services, and other hospitality vendors can use other Auric services to:
    • retrieve or process the credit card number securely within their facility.
    • pass the credit card number to client lodging facilities via an embedded iFrame.
    • convert the AuricVault® token to a specific payment processor's token using the Token Swap option.
    • process payments with the Payments Passthrough option.

NOTE: The Proxy4PCI option is in closed Beta. Please contact sales@AuricSystems.com to request access.

Technologies Used

  • Tokenization
  • Data Separation
  • Proxy4PCI option

Have Questions?

Contact Us

1,000 character limit.

By submitting your name, email address, phone number, and message, you are permitting us to contact you by these means in response to your inquiry or feedback. You also acknowledge that you have read our Privacy Statement and that you consent to our processing data in accordance with it.