Credit card validation

Epicea_old · Sat Mar 07, 2015 10:43 am

As I understand credit card collection on beds24 when a guest enters their details they are validated and then stored. We can then use that to take a deposit using our terminal if we want (we don't as a rule). Is that about right?

We've just had a form from our terminal providers about PCI. As far as I can see, I would have to tell them we're not PCI compliant.

We don't really take c/card details for any other purpose than to validate the booking. I could sign up to one the payment gateways but then we'd have to take a deposit each time which would be a big alteration in our process. It would be a huge deal if we did this as it might not make sense to continue with our terminal provider. We might then be better off using something like authorize.net and a mobile reader etc. Instead of running two contracts.

My question is, if beds24 validated but didn't store c/card details, would it be PCI compliant? Is that an option?

Mon Mar 09, 2015 8:15 am

Beds24 follows the intentions and best practice laid out by the PCI DSS documentation.
We beleive we are complient with the documentation but because of the high costs involved in obtaining and maintaining official certification we have no intention of doing this.

If you absolutely must be PCI certified then do not collect credit cards using beds24 but rather connect to one of the payment gateways and let them collect the payment. All gateways we connect to are PCI certifed.

Epicea_old · Mon Mar 16, 2015 1:41 pm

Epicea wrote: My question is, if beds24 validated but didn't store c/card details, would it be PCI compliant? Is that an option?

I'd still like to know if that's possible.

The payments gateways currently supported aren't looking to useful for us :

authorize.net - doesn't accept our local currency
paymill - extremely unresponsive, after 12 days we've not got an account, they emailed us asking for company registration details that aren't required in Switzerland and we've yet to hear back. But as they're clearly not very responsive and don't seem to have any idea about business in Switzerland we'd really not want to use them anyway.
realex - haven't bothered to respond.
stripe - not available in Switzerland (currently)

Paypal, which I'd rather not use anyway, doesn't work using beds24 booking forms when embedded in an iframe. I assume they've some frame busting code. Obviously that can be opened in a new window but paypal isn't our preferred option anyway.

Mon Mar 16, 2015 1:56 pm

Epicea wrote: My question is, if beds24 validated but didn't store c/card details, would it be PCI compliant? Is that an option?

I'd still like to know if that's possible.

I am not sure I understand, do you want the guest to enter a card number, we check if it looks valid and then throw it away?

Mon Mar 16, 2015 1:58 pm

Epicea wrote: Paypal, which I'd rather not use anyway, doesn't work using beds24 booking forms when embedded in an iframe. I assume they've some frame busting code. Obviously that can be opened in a new window but paypal isn't our preferred option anyway.

That's right paypal wont work in an iframe. We have a setting to open a new page to collect payments when required.

Epicea_old · Mon Mar 16, 2015 2:03 pm

markkinchin wrote:
Epicea wrote: My question is, if beds24 validated but didn't store c/card details, would it be PCI compliant? Is that an option?

I'd still like to know if that's possible.
I am not sure I understand, do you want the guest to enter a card number, we check if it looks valid and then throw it away?

Yes. Several travel shows and websites have provided customers with advice to use invalid credit card details to secure bookings on spurious grounds of security or to hold rooms without commitment. I'd prefer to either store the details or take a deposit but this might serve as a workaround until we can make other arrangements.

Mon Mar 16, 2015 2:35 pm

I have added an option to Settings > Account > Preferences > Credit Card Security = "Do Not Store Cards"

This will look to the guest like they have to enter a card and it will check for a sensible card number but nothing will be stored.
The card passing this test verifies as a potentially valid card number (Luhn Check) but it does not mean there are funds on the card or it hasn't been cancelled etc.

Epicea_old · Sat Apr 04, 2015 7:21 am

markkinchin wrote:Beds24 follows the intentions and best practice laid out by the PCI DSS documentation.

I'm not sure about that. PCI has some strong requirements for cryptographic protocols which aren't being met currently. The PCI Security Standards Council decision to drop SSL is fairly new but it's at least four months since we knew that SSL in any version was irretrievably broken.

Epicea_old · Fri Jun 26, 2015 1:07 pm

Epicea wrote:
markkinchin wrote:Beds24 follows the intentions and best practice laid out by the PCI DSS documentation.
I'm not sure about that. PCI has some strong requirements for cryptographic protocols which aren't being met currently. The PCI Security Standards Council decision to drop SSL is fairly new but it's at least four months since we knew that SSL in any version was irretrievably broken.

A recent article from the register :

http://www.theregister.co.uk/2015/06/26 ... _now_dead/

The way beds24 is using HTTPS is not following "the intentions and best practice laid out by the PCI DSS documentation".

Fri Jun 26, 2015 2:26 pm

The only reason we still support SSL3 is because IE6 will not work without it.
We will shortly be pulling the plug on iE6 users for the benefit of everyone else.

I have re-read the PCI DSS docs and we are seriously considering getting certified, I think we can make the required changes.