Case Study – Travel
The client sought a secure method to collect and store credit card information from their booking page until payment was necessary. The transaction process begins with the dispatch of the first two requests to the airline company to confirm ticket availability. Following this, a third secure transaction, containing the credit card number, is forwarded to the airline. The initial transactions generate a booking number, which is subsequently transmitted, along with the credit card, in the payment request to the airline for processing. Upon finalizing the booking request, the travel company needs the ability to charge the same card for two additional payments—one to the insurance company and the final one to the payment gateway for processing the surcharge.
HostedPCI was initially tasked with identifying the suitable collection method for this client. This was promptly determined as all transactions were facilitated through the travel company’s webpage. The iFrame was identified as the necessary collection solution, given its ability to integrate into the client’s checkout page. This integration allows the client to maintain control over the entire transaction process without the need to internally manage the credit card. The HostedPCI iFrame tokenizes the credit card directly from the browser before tokenizing the customer details. The client receives an independent and durable token, which can be used with any third-party or supported gateways as needed.
The first transaction processed through HostedPCI is the booking transaction. Unlike a standard sale transaction, the credit card is processed not by the travel company, but by the airline company, which confirms the booking. As a result, the API action needed for this transaction is our XML Message Dispatch. This type of transaction allows the client to tailor the API request to the airline’s specifications to transmit the customer and transaction details for processing. Since the travel company holds only the token, they send the API request to HostedPCI with the token, and HostedPCI replaces the token with the credit card before sending the message to the airline.
The insurance transaction follows the same route as the booking transaction; however, the third party in this case is different, potentially requiring a varied request structure. Similar to the airline transaction, the client will assemble the appropriate request, including the token, and will send the transaction to HostedPCI for the insurance company to charge the insurance fee.
Regarding the surcharge transaction, it is carried out through the chosen payment gateway—Moneris, in this instance, which is the travel company’s gateway. The structure of the payment request differs from the request for XML Dispatch. Unlike the third-party request, which the client assembles, the gateway request is structured using specific parameters provided by HostedPCI to streamline the Sale request.
By utilizing HostedPCI for their PCI DSS compliance, the travel company successfully reduced its PCI scope by entrusting the entire collection, storage, and exchange process to a secure third-party proxy. This shift decreased their PCI scope from an SAQ type D, encompassing approximately 400 questions, to a more manageable SAQ type A, consisting of only 11 questions.