Proxy4PCI Service for Online Travel Agencies

January 1, 2019

Online Travel Agencies (OTAs) such as Booking.com, Expedia, etc. provide a web-based application programming interface (API) through which Channel Managers, hotels and other hospitality services such as rental car companies retrieve booking information.

The retrieved booking information contains credit card account numbers.

Goal

Comply with the Payment Card Industry Data Security Standard (PCI-DSS) requirements by removing the credit card account number from the Channel Manager’s data flow.

Solution

Channel Managers receive booking orders from multiple online travel agencies (OTAs) such as Booking.com, Expedia, Travel Advisor, etc. The returned order information contains credit card account numbers. The Channel Manager services need to remove the credit card account numbers from their data flow to meet PCI requirements.

ASI's Proxy4pci service addresses the Channel Manager's PCI security requirements. The Channel Manager's communications with the Online Travel Agency flow through the Proxy4pci service which replaces the credit card account number with an AuricVault® token, thus removing the credit card account number from the Channel Manager’s environment. Our service then securely stores the data.

Before switching to the Proxy4pci service, the Hotel Channel Manager sent requests for new bookings directly to the Online Travel Agency. The responses had plaintext credit card account numbers.

The Proxy4pci service tokenizes the Online Travel Agency’s responses.

Data Flow

ProxyPCI tokenization dataflow.

The Proxy4pci tokenized data flow.

  1. The Channel Manager (or Hotel) sends an Online Travel Agency request to the Auric Proxy4pci service looking for customer reservations.
  2. The proxy service forwards that request to the Online Travel Agency.
  3. The Online Travel Agency responds with booking information.
  4. The proxy service scans the response and sends all the plaintext credit card account numbers to the AuricVault® service.
  5. The AuricVault® service securely stores the credit card account number and returns an AuricVault® token to the Proxy4pci service.
  6. TheProxy4pci service replaces the credit card account number with the token, then returns the tokenized response to the Channel Manager.
  7. The tokenized data is retrieved by an individual hotel, B&B, lodging facility, or car rental agency.
  8. The hotel sends the token to the AuricVault® service and,
  9. receives back the original (detokenized) credit card account number.

Security

  • Removing the credit card account numbers from the OTA response reduces Channel Managers PCI footprint.
  • Hotels, management services, and other hospitality vendors can use other Auric services to:
    • retrieve or process the credit card number securely within their facility.
    • pass the credit card number to client lodging facilities via an embedded iFrame.
    • convert the AuricVault® token to a specific payment processor's token using the Token Swap option.
    • process payments with the Payments Passthrough option.

NOTE: The Proxy4pci service is in closed Beta. Please contact sales@AuricSystems.com to request access.

Have Questions?

Contact Us

1,000 character limit.

By submitting your name, email address, phone number, and message, you are permitting us to contact you by these means in response to your inquiry or feedback. You also acknowledge that you have read our Privacy Statement and that you consent to our processing data in accordance with it.