To introduce and focus the topic: PCI-DSS is an international security regulation, developed by the main payment brands such as Visa, Mastercard and American Expresss, whose objective is to improve the security of the entire card environment, in order to avoid and minimise situations such as those recently experienced by Marriot or British Airways (both related to the tourism sector).

The complexity of the tourism sector and regulatory compliance

As opposed to other types of activities where compliance can be approached in a more individualized way, such as for example the e-commerce sector, in the tourism sector there are a large number of players who all have their share of responsibility. Let’s see it with the case of a hotel and analyzing the main flows.

A hotel must comply with PCI-DSS. It is a reality, and the reason is extremely simple: they have contracts with banking entities that act as the acquiring bank, where they request commercial codes to collect their services, mainly the stays we spend in each hotel.

When the hotel has to comply with PCI-DSS regulations, the first thing to do is to analyse the flows through which its customers’ card data circulates. And this is where the situation begins to complicate compared to a classic e-commerce.

Main card data streams of a hotel:

  • Own sale through its website
  • Reservations from OTA’s where the credit card arrives, either to process the payment or to have the card in guarantee
  • Payment in person at the hotel, when the guest makes the process of Check In or Check Out, depending on their procedures
  • Assisted sales through the Call Center
  • Recovery of cards to process No-Show…

If we draw each one of these processes, the players that we have commented before appear, and that affect the chain of fulfillment. For example:

  • PMS
  • Channel Managers
  • Booking Engines
A2Secure - Dingus

The hotel, in order to ensure compliance, must ensure that the players it works with also comply, since the cards with which it finally collects its stays can pass through each of these companies or, as the PCI-DSS regulation calls it, service provider.

So if it definitely has to be met, what would be the best strategy for these service providers to do so? With a vocation for service, the ideal would be to work on compliance by helping the hotel make life easier for them.

Under this premise, there are two actors who can really help the hotel industry to simplify compliance. Specifically, these are both Channel Managers and PMS and, between the two, very especially the Channel Managers, since due to their type of business they have been able to move earlier to the Cloud and offer their services effectively as a service, before the PMS.

The Channel Manager, by concentrating many booking channels, has a very high percentage of the cards that a hotel has to manage circulating through it. Thus, the Channel Manager has the ability to intercept these cards, store them in delegation by the hotel, and prevent them from entering the hotel’s own systems, simplifying part of the PCI-DSS compliance to the establishment.

Finally, through integrations with PMS and payment gateways, it is possible to close the collection processes avoiding both that the card arrives at the hotel and that it is often visible for the staff.

It is precisely this strategy that Hitt Group has chosen to tackle PCI-DSS compliance: Book&Payment collects the reservation cards and, before they go to the hotel, they are tokenised, delivering tokens but in no case bank card data…

Book&Payment takes care of your customers’ cards according to PCI-DSS and, through Book&Payment itself, payments can be processed directly with various payment gateways, without the hotel systems or their staff manipulating the data. In this way, it helps to simplify one of the channels of entry of cards in hotels and, therefore, compliance with the standard.

A2Secure - Dingus

For our part, we believe that this is the way forward. Instead of confronting the regulations individually, which may seem a priori easier, confront them with the perspective of interrelating services and, in a global way, looking for solutions that support the entire transit of the card. This vision, in addition to helping to achieve and maintain compliance by various actors, also represents a significant improvement in security.

It is quite easy to understand that a single database with bank cards encrypted in an entire stream is not the same as the fact that the Channel Manager has its own database, the PMS its own and the payment gateway as well: these are three different locations where a hacker can go looking for the same information and also multiplying by three the possibility of making a mistake and ending up exposed sensitive information.

Albert Morell


Albert Morell

Co-founder A2SECURE & QSA PCI-DSS Auditor

With more than 12 years of experience in Cybersecurity and a solid technical background in engineering, e-commerce and cryptography, Morell left the telecommunications industry to co-found his Cybersecurity company, focused on digital security and PCI-DSS standards. Since then, A2SECURE has provided some of Europe’s leading companies (especially in the payment gateway industry and the tourism sector) with a leading service in corporate information and security, as well as PCI-DSS consulting and auditing.