Prerequisites: Securing your on-line booking website is critical to the safety of your transactions and your customer data.  Whether you are planning to create your own booking form or you are going to use a web-based tour operator reservation system, you need to know what to look for to protect your business from potential security and credit card theft, and the hefty fines which may result.

Estimated Time for Completion: 10 min reading time

Details: Your booking page, whether you create it yourself, or you use a software product has to be secure.  If you are currently requesting credit card information on a page that is NOT secure, you are probably in violation of your merchant agreement and could face severe penalties if you do not secure it.  Okay, now that I’ve raised the red flag, let’s take a look at some simple precautions you can take to ensure your booking website is secure:

  1. Secure certificate: Your booking website should be protected with a secure certificate.  If you are using a web host, you can ask them to set one up for you for your booking page.  In general, secure certificates cost between $99-$499 per year.  Set-up will also run about $100.  If you are using a software as a service booking system, make sure they are using a secure certificate during the booking process.  In most cases these hosted solutions will use a higher level of security and there will not be any additional cost associated with this.  If you have to install the system on your own website, then you may be required to set-up your own certificate.  If you have your own website but are using a web-based tour reservation system to handle your online bookings, then you probably won’t need to purchase your own secure certificate.
  2. Use a payment gateway: If you plan on accepting payments on-line from your customers, then use an approved payment gateway to process your credit cards in real-time.  Using a payment gateway instead of taking credit card information manually or over the phone reduces your risk of credit card theft and ensures that your customer data is secured.  A payment gateway is particularly well suited to operators who sell vouchers for their tours or activities.  Specialist operators who sell high priced packages that require a deposit may not need a payment gateway because they tend to receive payments in steps. Popular payment gateways include PayPal Website Payments Pro, Authorize.net, Chase Paymentech, iTransact, Ogone, Payjunction, Eway, DPS Payment Express, and PPI Paymover.  Integrating a payment gateway can be tricky business and will require a developer if you plan on doing yourself.  If you are using a web booking system, they will probably support some or all of these popular gateways.  This alone, could say you $1500 – $2500 in development fees.

    But what about hosted payment pages such as 2checkout, Paypal standard payments, or bank specific payment pages?  These options are reasonable alternatives to fully integrated solution but can actually be much more cumbersome from an administrative standpoint and tend to have a much higher booking abandonment rate that integrated booking solution.  If the booking solution you plan to use only supports hosted payment pages, you may want to consider looking for a package that supports a more robust payment integration.

  3. PCI Compliance: Even if you don’t plan on using a payment gateway, you should ensure that your booking page is PCI Compliant, which means that your site is scanned for vulnerabilities and checked to ensure that known security issues are addressed in a timely manner.  If you plan on integrating a payment gateway, you will be required to be PCI compliant before your gateway is activated.  If you use your own website and booking page, then you will be responsible for PCI compliance.  If you use a hosted tour operator software, then chances are that the software will go through its own PCI compliance.  If you use a web-based tour/activity booking system that is PCI compliant, it can save you about $500 per year in compliance scanning costs.  If the tour operator software you are using is not PCI compliant, you may want to consider switching to a booking system that is PCI compliant.

Questions to ask your developer or web booking software vendor:

  1. Is the booking process secured with a high encryption secure certificate (256 bit or higher)?
  2. Are you directly integrated with payment gateways or do you only support hosted payment pages?
  3. Is the system PCI compliant?

If the your current booking form or web booking software vendor answers “No” to any of these questions, you should consider rectifying the situation by securing your booking form or switching to a more secure platform.

For more information, refer to the following related articles:

Outcome: Security and credit card safety are no laughing matter and your failure to protect your customers’ valuable personal and payment information can result in severe penalties.  By ensuring that your booking form is both secure and credit card safe is not difficult nor does it have to be expensive.  By partnering with the right software partner or developer (one who clearly understands the importance of PCI compliance and security) you can be sure your booking process is safe and secure.