Massive Travel Industry Data Leak

Prestige Software’s main product Cloud Hospitality, the channel management software to the travel industries biggest consumer buying web sites, including Expedia, Hotels.com, and booking.com left data exposed for over 10 million log files, dating all the way back to 2013. At the November 6, 2020 breaking news, it was not yet known whether the data left open on a server was stolen or not. However, we know that criminals run scripts looking for data all the time so it won’t be a surprise if there was a breach.

A channel manager is used to manage bookings across multiple webs sites, including hotels and restaurants. For example with vacancy management, if there is one room left and someone buys it on booking.com, it will show unavailable on hotels.com. With millions of records exposed around the globe, there is sure to be fall out.

Because both personal and credit card data was exposed, I recommend consumers change their travel web site passwords, email passwords, and keep an on on credit card usage or set up alerts.

The data contained full card data and the security code. It’s a PCI Compliance and card network violation to store sensitive cardholder data, therefore, they could lose the ability to store, transmit, and handle all credit card data. While the booking platforms did not expose the data, there is certainly a weakness. For more information from the team that broke the news, see https://www.websiteplanet.com/blog/prestige-soft-breach-report/.

This incident demonstrates your security is only as good as your weakest link. What actions have you taken to remediate deletion of old records both paper and digital? What about your partners? I know of multiple solutions providers that enable merchants to create their own digital credit card authorization forms. This form is then reviewed or downloaded by an employee, with card data key entered then into some other system by the employee. There are so many things wrong with this, including the signature is not even a valid form of defense for card not present. 3-D Secure is the way to go.

  1. If your company uses a 3rd party for billing and or collections, ask questions.
  2. If you’re not using updated tools to keep card numbers out of employee hands, hardware and software, you’re at risk.
  3. Remember, if cardholder data can be decrypted and viewed, you’re at risk.
  4. If you can see the full card number and security code after authorization, that is not compliant.

Contact me for a FREE checkup for common problems IT and security professionals might miss.

If your company has card data that can be retrieved and viewed, you’re at risk too. I fix that.

Christine Speedy, Founder 3D Merchant Services, QIR certified, is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified by the PCI Council. Christine is an authorized independent sales agent for a variety of merchant services and payment technology solutions.

Event sales credit card authorization form template 2019

Accepting credit card deposits for events requires compliance with both card not present and stored card rules. Not PCI Compliance rules for data security, but rather authorization rules set by Visa, MasterCard etc. Comply with the rules and get rewarded with more authorization approvals, qualify for lower rates and mitigate risk of chargebacks.

Professionalism starts on the phone and continues throughout the buying experience. By replacing traditional credit card authorization forms with technology that puts buyers in control of their cardholder data, merchants create a better buying experience. Traditional credit card authorization forms were created to establish a record to use in the event of a future dispute. They’re useless today.

Merchants must replace credit card authorization forms with technology compliant with new rules for storing and using stored cards.

  • The initial authorization authenticates the cardholder.
  • The initial authorization informs that the cardholder has agreed to merchant storing card.
  • The transaction type will indicate it’s an estimate.
  • Future authorizations will reference any required above items and be submitted as Incremental or Final.

Compliance with the above is not possible with desktop terminals and even most virtual terminals and payment gateways. Merchants need a virtual terminal and or payment gateway that supports Unscheduled Credential On File, Incremental and Final Authorization rules. This is new terminology and new fields in the transaction process.

“Don’t be surprised if vendors don’t know about or support these rules. Just like EMV chip rollout, it’s a huge change and few providers are keeping up. We’re an exception. I had solutions for my clients prior to the EMV shift in October 2015 and again for the 2017 stored card mandate.”

Christine Speedy

Our solutions reduce buyer friction to pay and enables event sales and back office staff to collect deposits and capture cardholder data via text or email. These include push out payment requests via text or email, capture cardholder data for later use, and upload an invoice to collect payment.

text payment
Click here to see one of multiple options available.

Benefits of compliant solution:

  • Reduced merchant fees even with the same merchant account.
  • Increased approvals with cardholder authentication.
  • Mitigate chargeback risk including fraud liability shifting to issuer.
  • More convenient for buyers- 24/7 payments on their schedule, not yours.
  • Buyers are in control of choosing to store payment methods

Call Christine Speedy, PCI Council QIR certified, for simple solutions to card not present payment transaction problems, 954-942-0483, 9-5 ET. The cloud technology you need today to accept all payment types, with optional merchant, check processing and other services. 

#hotel #creditcardauthorization

Hotel Third Party Credit Card Authorization Form Alert

Is your hotel third party authorization form compliant with both Payment Card Industry Data Security Standards (PCI) compliance and card network acceptance rules? Beware solutions that are neither, risking an expensive data breach, lost reputation, and reduced profits. Due to significant rules changes in 2017, hotel management and hospitality advisors must adopt new technology solutions to comply.

Shifting from a paper credit card authorization form to a digitally signed cloud form often fails to meet intended goals to prevent fraud and increase security. For example, some digitally signed third party credit card authorization form solutions authenticate the cardholder with address and security code verification. Authorized merchant employees access and decrypt the signed document, then key-enter the cardholder data into another system for subsequent authorizations. The document containing PAN and security code remains on file for some period of time.

“This method is rife with compliance problems, leaving hotels unprotected from friendly fraud, ‘it wasn’t me, I didn’t authorize’ and data breach risk”, per Christine Speedy, PCI Council QIR certified.

For instance, per PCI Compliance 3.2, the security code, must not be stored after authorization, even if encrypted. Whether the security code can be stored prior to authorization, PCI leaves up to card brands and acquirers. Per Visa Core rules, section 5.4.3.1, merchants cannot even ask for the Card Verification Value 2 (CVV2) from the Cardholder on any written form.

A series of card not present acceptance rules changes are driving an urgent need for hotels to update. These significant changes include the process to store cards, use stored cards, and obtain authorizations. All this means, whatever worked in the past is no longer valid today. In the digitally signed form example, there’s no relation between the initial cardholder authentication transaction and any future authorizations. However, if done properly, the issuer would have returned a response acknowledging the merchant notification that they’d gotten permission to store the card; future authorizations would include that response.

Hackers continue to target the hospitality industry and they’ve been quite successful. With 338 breaches in the 2018 Verizon Data Breach report, the accommodation sector ranks in the top three of most incidents and breaches. InterContinental Hotels Group, Marriott International, Radisson Hotel Group, Hilton, and Hyatt have all had breaches as have suppliers to the industry like Sabre Hospitality. If you know you’re going to be attacked, why not eliminate employee access to cardholder data completely?

How can hotels better protect against card not present credit card fraud? 3-D secure is a global protocol designed to be an additional security layer for online credit and debit card transactions. By combining a web-based authorization form with 3-D Secure cardholder authentication, including Verified by Visa, fraud liability shifts to the issuer, much like EMV chip shifts liability to the issuer. By using a payment gateway to manage initial and subsequent authorizations, with the capability to invoke 3-D secure, merchants mitigate chargeback risk and avoid the time consuming process of fighting to get their money back after they occur. As a bonus, some issuers support reduced interchange rates, the bulk of credit card processing fees, when 3-D Secure is invoked. No cardholder data is ever visible to employees.

With every part of the payment ecosystem needing to make changes- card issuer, acquirer (merchant account processor), payment gateway- it’s inevitable that there will be gaps in compliance. Non-compliance with rules can result in fines, penalty fees, and removal from card acceptance. 

Key questions to ask when evaluating hotel third party credit card authorization solutions:

·      Is the security code ever stored?

·      Is 3-D secure supported?

·      Is it compliant with the Visa stored credential mandate, including unscheduled credential on file?

·      After the initial authorization, are subsequent authorizations submitted with retail, MOTO (telephone order), or e-commerce transaction type?

·      Correct Answers: no, yes, yes, MOTO

Keywords: #creditcardfraud #databreach #lodging #hotels #pcicompliance #creditcardauthorizationform

Call Christine Speedy, PCI Council QIR certified, for PCI compliant web-based third party authorization forms and other hotel payment technology to make your business more profitable and secure. 954-942-0483, 9-5 ET.

Credit card authorization form template alert

Searching for a credit card authorization form template? Maybe PCI compliant form or Microsoft Word compatible template? Stop! If your web browser is not up to date, just landing on the web site that has the form might introduce malicious code into a company’s systems and network, leading to a future data breach.

Businesses should be replacing traditional credit card authorization forms with other payment methods where the customer self-pays:

  • Hosted pay page
  • Push out a payment request via text or email

Per Visa, merchants are never allowed to ask for the security code on paper.  Merchants also cannot store the form with full card numbers. They increase risk of fraud and identity theft and nobody likes them!

What are the benefits of customer initiated payments?

  • Reduced merchant fees for some cards (3-D Secure cardholder authentication such as Verified by Visa must be enabled.)
  • Increased approvals with cardholder authentication.
  • Mitigate chargeback risk – with 3-D Secure cardholder authentication, fraud liability shifts to issuer.
  • More convenient for buyers- 24/7 payments on their schedule, not yours
  • Buyers are in control of choosing to store payment methods

How do you choose the best solution? Here’s some of our product differentiators:

  • PCI Compliant credit card authorization form generated automatically, should you have a need to get a signature to terms for storing and using stored cards.
  • 3-D Secure cardholder authentication supported.
  • Choose any acquirer.
  • Automated interchange management, including level 3 processing for business to business (B2B) and business to government (B2G), to reduce fees and maximize profits.
  • If preauthorizations are needed, ongoing authorization management is critical and we do that automatically.

Call Christine Speedy, PCI Council QIR certified, for simple solutions to complex payment transaction problems, 954-942-0483, 9-5 ET. CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Online credit card authorization form

An online credit card authorization form enables a business to charge a credit card one-time or for recurring purchases. Looking for a PCI Compliant authorization form meeting 2018 and 2019 standards? Read on.

Online credit card authorization form options:

Hosted pay page. The merchant directs customers to web page to pay any invoice or store card for future payment online. For maximum reduced PCI burden, send customers directly to the 3rd party payment gateway web URL. The gateway may or may not be the same as your processor. NOTE: If hosting on your own web site with an embedded payment (iframe) object, acceptable implementation methods for PCI requirements have changed;  any old forms should be updated.

Electronic Bill Presentment & Payment. (EBPP or EIPP) This is basically a proactive version of the above. Log in to a gateway web portal, and send a payment request via text or email which the customer clicks and pays. Whether integrated or standalone, we have options to include the invoice as an attachment. No login required to make a payment, but a customer portal is also included.

All the major payment gateways include a Virtual terminal, hosted pay page, and shopping cart checkout capability, tokenization to store card data for future orders. Some, including CenPOS also offer EBPP. So how do you differentiate your choices?

Critical elements online credit card authorization form:

  1. Must not be able to decrypt and view the security code and or sensitive cardholder data.
  2. If only authorizing and not capturing (settling) final amount immediately, must comply with Visa 5.8.3.1 Authorization Amount Requirements. The Merchant must use the Estimated/Initial Authorization Request indicator for the first transaction,
    then the Incremental Authorization Request indicator for interim if applicable, and Final Authorization Request indicator when closing out the transaction; the same Transaction Identifier must be included for all Authorization Requests. A reversal of extra funds must be completed within 24 hours of final settlement. These are tough questions the average salesperson probably can’t answer. Work with a professional that knows the rules.
  3. Stored cards. Are you storing cards for any type of ongoing charges?

    PCI Compliant credit card authorization form

    Partial PCI Compliant stored credential authorization form.

    Comply with Visa Rules Table 5-20: Requirements for Prepayments and Transactions Using Stored Credentials. There are too many variables to list here so I recommend downloading the rules and getting familiar or call us to save time. When capturing card data for the first time:

    • Obtain express consent per specifications for your refund and cancellation policies, how you’ll use the stored card, when your agreement expires and how the Cardholder will be notified of any changes to the agreement.
    • Perform a cardholder verification either via transaction or zero dollar authorization with the proper indicator.
    • This is a change! Two transactions occur when capturing cardholder data for the first time. Technical part can be handled by a payment gateway that supports it, but other elements are left to you.
    • Provide a stored card receipt to customer.
  4. 3-D Secure cardholder authentication. For example, Verified by Visa. Merchants register for 3-D Secure with their acquirer; always consult with the payment gateway first for instructions and to confirm they’re registered to offer service. Friendly fraud liability, “it wasn’t me, I didn’t authorize it”, shifts to the issuer and some cards with qualify for even lower rates because there is lower risk to the issuer. Because there are many parts to any transaction, including acquirer and issuer communications, plus continually changing rules, it’s possible that it will not be invoked.

Online Credit Card Authorization Forms and Qualified Rates

Most cards, except regulated debit, can qualify for multiple rates depending on how the transaction is submitted. For example, MasterCard World card rates:

Rate Name Rate Qualified Rate Reason
Standard 2.95% + $.10 Not all criteria met for another rate.
Merit I 2.05% + $.10 Key-entered or ecommerce and valid authorization + other criteria met.
Full UCAF 1.87% = $.10 Ecommerce; Cardholder authentication and other criteria met.

To qualify for UCAF, the customer must initiate payment and all the other rules must be met, which is not always easy, especially for B2B. Note, ‘ecommerce’ includes online paypage and other electronic payment channels the customer initiates.

Call Christine Speedy, PCI Council QIR certified, for Online Credit Card Authorization Forms at 954-942-0483, 9-5 ET. CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Christine offers more than one solution so that you have the best for your business type and needs.