In a recent SafetyDetectives interview, Eyal Nevo, CEO of PCI Booking, delves into the origins and evolution of the company. Born from a need to ensure PCI compliance for credit card details in the travel industry, PCI Booking emerged as a pioneering solution. Nevo explains the vital role PCI Booking plays in safeguarding payment processing and facilitating outsourced PCI compliance, particularly within the travel sector. He discusses the immense challenges businesses face in achieving and maintaining PCI compliance and how PCI Booking eases this burden. Additionally, Nevo offers expert advice on best practices for handling payment card data and staying ahead of emerging threats in the payment processing landscape.
How did the idea of PCI Booking come about, and what has the journey been like?
We had been all working in another company providing an online faxing solution and we came across a new customer – a large hotel chain in the UK, that needed to send a fax from its online reservation system to the individual property where the guest is planning to stay. The fax will contain both the reservation details and the credit card details of the guest. This introduced us first to the world of PCI compliance. After that, we soon learnt that, especially in the travel industry, there are many organizations that need to collect, pass and store credit card details – from the card holders and in-between other providers. And naturally, each of these organizations needs to be PCI compliant. This led us to develop a credit card tokenization system that can provide a secure connection between the organization that we are protecting and their customers / partners.
Can you provide an overview of PCI Booking’s role in the payment processing industry and the specific services you offer?
PCI Booking operates primarily in the travel industry, and there, our services serve three main roles: First and foremost, credit card security and outsourced PCI compliance. We ensure that our customer and their system are never exposed to the card details – and at the same time, are still able to perform all relevant actions on the card. If you do not interact with raw card details, then you are PCI compliant.
Secondly, secure connectivity both with customers and partners. PCI Booking offers a suite of tools to handle any scenario where our customer needs to interact with a card – whether it is collecting the card from the card owner, receiving an API request from a partner, performing authentication, validation or analysis on the card, and many more.
And finally, offering a payment orchestration functionality offering our customers the ability to connect to any one or multiple payment gateways around the world with one single API integration.
What are some of the biggest challenges that businesses face when striving to achieve secure and efficient payment processing?
The biggest challenge is PCI compliance. If a business decides to store and handle the cards themselves, then they need to be PCI compliant; and in order to do so, you need to undergo an annual audit. In this audit, you are asked to provide evidence that you follow the PCI standards in 12 different sections covering everything from application security to hardware security to physical security at your hosting facility – and everything in between. In addition to that, there are many scans, tasks and activities that you need to perform at specific intervals throughout the year – and then provide evidence to those in the audit.
In short, PCI compliance is a very lengthy process, very time consuming and resource intensive and, mostly, very expensive.
With PCI Booking, companies can outsource their PCI compliance – and in so doing, avoid the entire process entirely, for a fraction of the cost.
What is the role of PCI DSS compliance, and how do you assist your clients in achieving and maintaining it effectively?
PCI-DSS stands for Payment Card Industry Data Security Standard. This is the set of rules, regulations and procedures that a business should follow if they handle, store or process credit card information within their system. As mentioned before, getting this certification and maintaining it is a very time, resource and cost demanding process.
With PCI Booking, customers can outsource all credit card processing, handling and storage to us and then our customers can sign off on a SAQ – Self Assessment Questionnaire, to indicate that they have outsourced all card related processing, storage and handling to PCI Booking and that is sufficient to indicate that they are PCI compliant.
Since our customers are never exposed to the card details – as those are stored in PCI Booking, our customers are essentially out of scope of the PCI-DSS standard and therefore the process to maintain this is very simple.
What are some best practices that businesses should follow when handling payment card data, particularly in e-commerce and reservation-related industries?
First of all, consider whether it is business essential to handle and store card details yourself or outsource it to a tokenization third party such as PCI Booking.
If you decide to handle and store the cards yourself, consider the following best practices:
- Minimal data storage – consider how much of the sensitive data you must keep in your system and what you can discard as soon as the transaction is over.
- Access control – make sure that only very few specific people have access to sensitive information. Reduce the access to the bare minimum as required to maintain their daily
- Question all assumptions regarding requiring access to card details.
- Logging – make sure that all activities, especially those pertaining to raw card details are properly and fully logged so that you can trace the path a card went through your system.
- Network and infrastructure security – simply protecting the servers that process credit cards is not enough – you have to protect the entire network and all the different servers and components that are connected to this network, even if they do not process credit cards at all.
- Consider hiring a consultant that can help guide you through the process.
What proactive measures can businesses take to stay ahead of emerging threats in the payment processing space?
Organizations should stay connected to people, websites and blogs that talk about payment processing. They should follow the big card brands (Visa, MasterCard, AMEX) to learn about new processes and new requirements that they introduced and would enhance security. Speak to a security consultant – perhaps even an auditor of PCI compliance. This consultant will be able to provide relevant guidance and upcoming changes to the compliance or the procedure that you should follow.
Or, simply choose to outsource credit card handling – and in fact, all sensitive data, to PCI Booking and let us address any changes or emerging threats.