Remove Channel Managers from PCI Scope | PCI Booking

Four steps to remove Channel Managers from PCI Scope

Four steps to remove Channel Managers from PCI Scope

Geoff Milton

Channel Managers play an important intermediary role in the supply chain.  They continuously receive payment card data from multiple Online Travel Agencies through an automated process using push and pull methodologies.

Conventional methods of eliminating payment card data from scope in order to achieve PCI Compliance are either to build an entire PCI secure environment for the business or to use tokens provided by payment gateways. Neither are satisfactory for entirely different reasons.


Tokenization using payment gateways result in an flexible solution where hotels are required to establish an expensive relationship with an payment gateway. Solutions designed internally or with the aid of third parties are is simply too expensive and time consuming to build.  Shortcuts often adopted such as the use of Amazon AWS service alone are are simply not compliant.

There is a third alternative which is faster and inexpensive to implement and comes without the inconvenience and inflexibility of using a payment gateway. The service is dependent upon the use of a cloud based PCI solution provider responsible for the capture, storage and display of card data. Basic steps are:

  1. Tokenization of bookings containing payment card data ‘on the fly’.   This allows guaranteed bookings that are either  ‘Pushed’ or ‘Pulled’ from OTAs to be tokenized in real time before they are delivered to the Channel Manager. The Channel Manager receives a token and masked card instead of open card data.   
  1.  Payment card data is stored on servers within PCI accredited data centres for an unlimited period with unlimited access to the card data by hotels  
  1.  Whenever a hotel wishes to view a credit card in order to take a pre-authorization, payment or wishes to invoke the cancellation policy a request is made to the Channel Manager through the Channel Managers own portal. The Channel Manager responds by exchanging the token with the PCI service provider and the card details are then displayed to the hotel in an iframe display hosted by the PCI solution provider but viewed within the Channel Manager's portal.
  1. Access control to the card data by hotels is governed by a property management service supplied by the PCI service provider which is integrated within the Channel Manager’s application.  

This four step approach is simple and quick to implement typically taking no more than one week to set up.  Many leading OTAs, CRS and Booking Engines adopt a similar approach for their systems also.  

A White Paper that describes in more deal the challenges faced by a Channel Manager plus a detailed description of the service outlined may be found here

Subscribe to the

PCI Booking Blog