Many industries handle and process card data, making them a natural target for hackers and cyber criminals. There is a simple solution to mitigate this risk – it is called Tokenization. With Tokenization, Complior takes responsibility for your sensitive data, without complicating the end-user experience. You never sit on any data that poses a security threat. Here is our latest case where we solved a major challenge for a Channel Manager.
Challenges in the Hospitality industry
The hospitality industry is the industry that is ranked the highest when it comes to risk of experiencing breaches, this according to the latest DBIR (Data Breach Investigations Report) conducted by the Verizon Risk Team. The criticism towards the hospitality industry stems from the fact that card data and personal information is usually stored in several places, and in general there has been a slow response rate to breaches.
There are three main categories of players in the hotel industry online in terms of the booking process:
Online Travel Agencies are the online booking sites, some of the major ones being booking.com, hotels.com and Expedia.
A Channel Manager allows properties to manage onlinemdistribution outlets, and makes sure that rates and inventory are kept up to date.
Hotels receive the booking information and payment.
The booking process
In a regular booking process, the booking message is sent from the OTA to the Channel Manager and then to the Hotels.
The nature of the booking process and flow of information means that Channel Managers handle and store a lot of sensitive data, including booking information, personal information and cardholder data. As a result, Channel Managers have to have a secure IT environment and be compliant with PCI DSS – to ensure that data is kept safe.
A Channel Manager
A Channel Manager in Italy who manages more than 3 500 properties contacted us in the spring with the challenge of becoming PCI DSS compliant. They prefered not having to invest in their own hardware and to only pay for what they needed. Our answer was Tokenization where their cost is based on the number of PANs stored.
Using Tokenization to outsource data
Handling and storing sensitive information means that companies have to be compliant to security standards such as PCI DSS and GDPR. Traditional tokenization services are used a lot in e-commerce, where cardholder information is removed and replaced with an indecipherable token.
For this particular Channel Manager, Complior delivered a customised service. We developed ready-to-use, simple API’s, meaning that the customer does not have to build systems or install servers. In this case, the solution was bigger than traditional tokenization since instead of sending only the card data to us, the OTA sends the whole booking message, and we replace the card information with a token ID that is then to the Channel Manager or the hotel. The card data is stored in our PCI DSS certified environment, putting the Channel Manager out of scope when it comes to compliance with PCI DSS.
Compliors Tokenization service for the Channel Manager has been a success. We process between 4000-5000 cards each day, and expect to process around 1.2 million cards this year. The solution has meant that the Channel Manager now meets security standards and has been able to continue to conduct business, and we have managed to significantly reduce the risk of breaches and theft of cardholder information.
Why use Tokenization?
Tokenization is being highlighted more and more in the industry. Tokenization means that sensitive cardholder information, such as credit card number, expiration date, and card name, are removed from your systems and replaced with a token. It is a simple and cost efficient way for companies who handle card data to reach compliance to security standards like PCI DSS – mainly because it puts you out of scope. There is no data to steal if you are targeted with an attack, because all of the data is stored in our PCI DSS certified environment.
How does it work?
A person makes a booking on an online travel agency site (OTA). The OTA sends the booking information, including card in clear text to our booking engine; the tokenization service. The booking engine replaced the card information with a token, which is sent to the Channel Manager. The Channel Manager sends the booking information to the hotel.
The hotel can also retrieve the card in case it is needed for payment.