Dingus renews PCI Compliance Service Provider Level 1 status

A2Secure’s authorised auditors have validated the renewal of Dingus’ certification as PCI Compliance Service Provider Level 1. Until October 2022, the date of the next review, we maintain the assurance of compliance with the payment card industry security standard in the hotels we work with, as accredited by the AoC issued by the assessors.

The most important value that Dingus provides in comparison with other proposals on the market is to ensure compliance with the standard throughout the entire life cycle of the reservations. An approach that guarantees our clients, without any doubt, that they are PCI-DSS compliant. This international security standard was developed by leading payment brands such as Visa, Mastercard and American Express, with the aim of improving security in the entire card-related environment. And all this, the commitment of Dingus and the purpose of the payment card industry standard, remains intact, perhaps even reinforced, with the renewal of the PCI Compliance Service Provider Level 1 status.

The audit to maintain the certification was carried out by A2Secure experts, who argued that “the Channel Manager, being a concentrator of many booking channels, has a very high percentage of the cards that a hotel must manage circulating through it. Thus, the Channel Manager has the ability to intercept these cards, store them in the hotel’s delegation, and prevent them from entering the hotel’s own systems, simplifying part of the hotel’s PCI-DSS compliance. Finally -explain the authorised QSA auditors- through integrations with PMS and payment gateways, it is possible to close the payment processes, preventing the card from reaching the hotel, as well as preventing it from being visible to the hotel staff”.

Dingus’ compliance guarantee is called Book&Payment.

The strategy chosen by Dingus (Hitt Group) to meet the standard was the one described above: Book&Payment collects the booking cards and tokenises them before they are passed on to the hotel. What it delivers are tokens and, under no circumstances, bank card data. Dingus’ own payment management system is responsible for the PCI-DSS-compliant storage of customer cards. Through it, payments can be processed directly with various payment gateways without the hotel systems or hotel staff handling the data. This helps to simplify one of the card entry channels in hotels and thus ensures compliance with the standard.

At Dingus we believe that there are many good solutions to ensure that the company providing the solution is PCI compliant, but we forget that “in itself, PCI is a process that cannot be broken at any time, something that we certified companies take care of. Our technological solutions and the knowledge we have gained over the years through analysis meetings, also with payment platforms, banks and other intermediary players, allow us to ensure that in our case this procedure is not broken at any time, and that any stakeholder who connects to us will be PCI compliant,” explains the company’s CEO, Jaume Monserrat. And to ensure this, Dingus has developed its own environment where customers’ bookings remain under the SLAs they have signed with us.

Furthermore, as Albert Morell, co-founder of A2Secure and QSA PCI-DSS auditor, told us in his day, “it is quite easy to understand that a single database with encrypted bank cards in the entire flow is not the same as the fact that the Channel Manager has his database, the PMS has its own and the payment gateway also has its own: these are three different locations where a hacker can go to find the same information, also multiplying by three the possibility of making a mistake and ending up exposing this sensitive information”.

Attestation of Compliance for Onsite Assessments – Service Providers

PCI Attestation of Compliance for Onsite Assessments (AoC) is the accreditation by which a Qualified Security Assessor (QSA) declares an organisation’s PCI DSS compliance status. It is documented proof that we maintain security best practices to protect cardholder data.

Cristina Torres. Corporate communication and media relations

cristina.torres@hittgroup.es