Comments on: Lack of credit card security when booking hotels online http://www.travel-rants.com/2009/03/30/lack-credit-card-security-booking-online/ Sun, 29 Jan 2012 01:52:48 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Itamar http://www.travel-rants.com/2009/03/30/lack-credit-card-security-booking-online/#comment-162722 Itamar Wed, 31 Mar 2010 10:41:06 +0000 http://www.travel-rants.com/?p=3524#comment-162722 Hi Darren, The security flaws should definitely be taken care off, but one point to keep in mind from a consumer perspective: "They are protected by the rules of card schemes" If someone writes down their Card number and CVC on a napkin and uses it online, the consumer will get his money back. Definitely for credit card transactions and even for VISA debit transactions (not sur for MC). These protection covers Fraud, Item not delivered (lost/stolen) and item not as described. But it's still a pain as the consumer has to go through that process, so it's clearly better to cut the fraud at the source. Regarding PCI compliance, CVC code cannot be stored (I believe there are some specific examptions) and although in the past we could make transactions without the CVC code, I believe there is now a mandate on CVC code (or it's on its way) with again some exceptions. There are definitely ways to get around that like doing a pre-auth and charging the card a week later if the consumer didn't pay when checking-out... Hi Darren,
The security flaws should definitely be taken care off, but one point to keep in mind from a consumer perspective: “They are protected by the rules of card schemes”

If someone writes down their Card number and CVC on a napkin and uses it online, the consumer will get his money back. Definitely for credit card transactions and even for VISA debit transactions (not sur for MC). These protection covers Fraud, Item not delivered (lost/stolen) and item not as described. But it’s still a pain as the consumer has to go through that process, so it’s clearly better to cut the fraud at the source.

Regarding PCI compliance, CVC code cannot be stored (I believe there are some specific examptions) and although in the past we could make transactions without the CVC code, I believe there is now a mandate on CVC code (or it’s on its way) with again some exceptions.

There are definitely ways to get around that like doing a pre-auth and charging the card a week later if the consumer didn’t pay when checking-out…

Report this comment

]]> By: Conchetta http://www.travel-rants.com/2009/03/30/lack-credit-card-security-booking-online/#comment-160849 Conchetta Fri, 05 Mar 2010 17:14:32 +0000 http://www.travel-rants.com/?p=3524#comment-160849 Suggestion Re:Credit Cards. Mine are through a credit union since they are smaller & humans answer the phone. I tell them where I'm going & any charges above a certain amount to block. They will contact me at the store I'm in, ask questions only I know the answers to for verification. If they can't reach me then just block. I can live without the purchase. Suggestion Re:Credit Cards. Mine are through a credit union since they are smaller & humans answer the phone. I tell them where I’m going & any charges above a certain amount to block. They will contact me at the store I’m in, ask questions only I know the answers to for verification. If they can’t reach me then just block. I can live without the purchase.

Report this comment

]]> By: Andy http://www.travel-rants.com/2009/03/30/lack-credit-card-security-booking-online/#comment-147064 Andy Sun, 31 May 2009 20:22:19 +0000 http://www.travel-rants.com/?p=3524#comment-147064 This is an interesting thread and one which I am pleased to say we manage effectively. At no stage, either through personal contact over the telephone or via an online booking, does any hotel or private villa owner get supplied with customers credit card details when booking through us. We don't even retain the CVC number at all. If we need to carry out a further transaction with our customers we contact them again for their number. Our gateway provider doesn't supply the CVC number to us, so if the booking is made live online even we do not have access to this number. I am happy with our security levels and know that this is crucial to us flourishing online. If we have a single slip up it could ruin our entire business and wreck hard won credibility. All our transactions are secure over the net with 128 bit SSL encrypted transactions. We provide booking solutions to private villa owners and small luxury boutique hotels and our guests know we take care of their security above all else. I would not do business with anyone that doesn't ensure customer confidence, privacy and reliability. This is an interesting thread and one which I am pleased to say we manage effectively. At no stage, either through personal contact over the telephone or via an online booking, does any hotel or private villa owner get supplied with customers credit card details when booking through us. We don’t even retain the CVC number at all. If we need to carry out a further transaction with our customers we contact them again for their number. Our gateway provider doesn’t supply the CVC number to us, so if the booking is made live online even we do not have access to this number. I am happy with our security levels and know that this is crucial to us flourishing online. If we have a single slip up it could ruin our entire business and wreck hard won credibility. All our transactions are secure over the net with 128 bit SSL encrypted transactions. We provide booking solutions to private villa owners and small luxury boutique hotels and our guests know we take care of their security above all else. I would not do business with anyone that doesn’t ensure customer confidence, privacy and reliability.

Report this comment

]]> By: Alex Bainbridge http://www.travel-rants.com/2009/03/30/lack-credit-card-security-booking-online/#comment-146773 Alex Bainbridge Wed, 27 May 2009 17:16:30 +0000 http://www.travel-rants.com/?p=3524#comment-146773 Hi Lina Quoting from the standards: "11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by Payment Card Industry Security Standards Council (PCI SSC). Scans conducted after network changes may be performed by the company’s internal staff." As you say you are PCI compliant I assume you do have the scans in place (required even if self auditing) - which is good news for your customers. Would have been easier if you had just said that as I asked this question in the comment above! Hi Lina

Quoting from the standards:

“11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by Payment Card Industry Security Standards Council (PCI SSC). Scans conducted after network changes may be performed by the company’s internal staff.”

As you say you are PCI compliant I assume you do have the scans in place (required even if self auditing) – which is good news for your customers. Would have been easier if you had just said that as I asked this question in the comment above!

Report this comment

]]> By: Lina Zaproudi http://www.travel-rants.com/2009/03/30/lack-credit-card-security-booking-online/#comment-146770 Lina Zaproudi Wed, 27 May 2009 16:40:58 +0000 http://www.travel-rants.com/?p=3524#comment-146770 Hi Alex. As discussed in more detail by email between us, we are PCI compliant. The "solution" is merely a way to add a security layer on top of SSL, by using an encryption script & public key on the web server and a decryption program and private password on a company PC. So the sensitive emails remain always encrypted (AES128 encryption). For full PCI compliance, agents should consult the requirements described in the documents found here: https://www.pcisecuritystandards.org/ Hi Alex.
As discussed in more detail by email between us, we are PCI compliant.

The “solution” is merely a way to add a security layer on top of SSL, by using an encryption script & public key on the web server and a decryption program and private password on a company PC. So the sensitive emails remain always encrypted (AES128 encryption).

For full PCI compliance, agents should consult the requirements described in the documents found here: https://www.pcisecuritystandards.org/

Report this comment

]]>