General overview
To be sure that no clear credit card data is stored in the PMS, inbound reservation messages need to be pushed against the following endpoint:
https://pci.protel.net/cd-proxy-io/pci/1/io/reservations
This is the endpoint for our CD-Proxy-IO. The CD-Proxy-IO is a web application that is used for 3rd parties which would like to provide us in the reservation message credit card information. The main task of the CD proxy is to remove the credit card data (tokenize) and forward the document with a token.
Credit Card information in the OTA_HotelResNotifRQ
Workflow
- A third-party system sends a reservation message (OTA_HotelResNotifRQ) to the corresponding endpoint of CD-Proxy-IO (XML format).
- CD-Proxy-IO calls MIS to check the validity of the bearer token from the third-party system.
- MIS responds either with the corresponding hotel ID or with an error in case of invalidity.
- With the hotel ID and credit card details from the reservation message, CD-Proxy-IO calls CCM to get a token (tokenize).
- Credit Card Management (CCM) returns token to CD-Proxy-IO. The proxy replaces the CC number from the original message with the token (with a PRTL prefix) and the masked card number.
- CD-Proxy-IO sends the modified reservation message OTA_HotelResNotifRQ to the endpoint of the ESB.
- CD-Proxy-IO forwards the ACK to the 3rd party system.
Message sample
Inbound messages must be populated in the path OTA_HotelResNotifRQ | HotelReservations | HotelReservation | RoomStays | RoomStay | ...
Before Tokenize:
After Tokenize:
In the PMS UI the hotel can check the credit card information and has the possibility to detokenize the credit cards in our Card Credit Management.
External token
If an Integration Partner wants to use external tokens (eg. Windcave, Adyen, cCredit) it is as well possible. The workflow is more or less the same. OTA_HotelResNotifRQ will be pushed to our CD-Proxy-IO, but the CD-Proxy-IO will not tokenize anything, just forward the message to the PMS.
For the hotel to recognize that the provided token is an external one, the following information needs to be added to the OTA_HotelResNotifRQ:
- In the attribute @EncryptionKey the external token should be displayed. To enable the usage of the token for the hotel, please put the abbreviation from the EFT Interface in front of the token (a list of possible abbreviations follows).
- In the attribute @MaskedCardNumber only the masked card number should be provided. If a clear card number is provided, the CD-Proxy-IO will tokenize the message again. To make it easy for the hotel, put a F in front of the masked credit card number, so the hotel can regognize this is a foreign credit card.
Message sample
Possible abbreviations
Abbreviations | EFT Interface |
---|---|
SHFT: | North American payment service provider "Shift4" |
PMXP: | Windcave mostly used in Australia and formerly known as "Payment Express" |
ADYT: | Dutch payment service provider and acquirer Adyen |
CCRD: | Swiss / French payment service provider "Six Payment Services" or "Worldline Switzerland" produces the payment service "cCredit" |
CCC: | payment service called "3c" (or "CCC") |