Securing your on-line booking website is critical to the safety of your transactions and your customer data. 

Whether you are planning to create your own booking form or you are going to use a web-based tour operator reservation system, you need to know what to look for to protect your business from potential security and credit card theft, and the hefty fines which may result.

Details: Your booking page, whether you create it yourself, or you use a software product has to be secure.  If you are currently requesting credit card information on a page that is NOT secure, you are probably in violation of your merchant agreement and could face severe penalties if you do not secure it. 

Okay, now that I've raised the red flag, let's take a look at some simple precautions you can take to ensure your booking website is secure:

Secure certificate: Your booking website should be protected with a secure certificate.  If you are using a web host, you can ask them to set one up for you for your booking page.  In general, secure certificates cost between $99-$499 per year.  Set-up will also run about $100.  If you are using a software as a service booking system, make sure they are using a secure certificate during the booking process. 

In most cases these hosted solutions will use a higher level of security and there will not be any additional cost associated with this.  If you have to install the system on your own website, then you may be required to set-up your own certificate.  If you have your own website but are using a web-based tour reservation system to handle your online bookings, then you probably won't need to purchase your own secure certificate.

Use a payment gateway: If you plan on accepting payments on-line from your customers, then use an approved payment gateway to process your credit cards in real-time.  Using a payment gateway instead of taking credit card information manually or over the phone reduces your risk of credit card theft and ensures that your customer data is secured. 

A payment gateway is particularly well suited to operators who sell vouchers for their tours or activities.  Specialist operators who sell high priced packages that require a deposit may not need a payment gateway because they tend to receive payments in steps. Popular payment gateways include PayPal Website Payments Pro, Authorize.net, Chase Paymentech, iTransact, Ogone, Payjunction, Eway, DPS Payment Express, and PPI Paymover.  Integrating a payment gateway can be tricky business and will require a developer if you plan on doing yourself.  If you are using a web booking system, they will probably support some or all of these popular gateways.  This alone, could say you $1500 – $2500 in development fees.

But what about hosted payment pages such as 2checkout, Paypal standard payments, or bank specific payment pages?  These options are reasonable alternatives to fully integrated solution but can actually be much more cumbersome from an administrative standpoint and tend to have a much higher booking abandonment rate that integrated booking solution.  If the booking solution you plan to use only supports hosted payment pages, you may want to consider looking for a package that supports a more robust payment integration.

PCI Compliance: Even if you don't plan on using a payment gateway, you should ensure that your booking page is PCI Compliant, which means that your site is scanned for vulnerabilities and checked to ensure that known security issues are addressed in a timely manner. 

If you plan on integrating a payment gateway, you will be required to be PCI compliant before your gateway is activated.  If you use your own website and booking page, then you will be responsible for PCI compliance.  If you use a hosted tour operator software, then chances are that the software will go through its own PCI compliance.  If you use a web-based tour/activity booking system that is PCI compliant, it can save you about $500 per year in compliance scanning costs.  If the tour operator software you are using is not PCI compliant, you may want to consider switching to a booking system that is PCI compliant.

Questions to ask your developer or web booking software vendor:

• Is the booking process secured with a high encryption secure certificate (256 bit or higher)?
• Are you directly integrated with payment gateways or do you only support hosted payment pages?
• Is the system PCI compliant?
• If the your current booking form or web booking software vendor answers "No" to any of these questions, you should consider rectifying the situation by securing your booking form or switching to a more secure platform.

Outcome: Security and credit card safety are no laughing matter and your failure to protect your customers' valuable personal and payment information can result in severe penalties.  By ensuring that your booking form is both secure and credit card safe is not difficult nor does it have to be expensive. 

By partnering with the right software partner or developer (one who clearly understands the importance of PCI compliance and security) you can be sure your booking process is safe and secure.

Stephen A. Joyce has been working as a travel & tourism technology consultant since 1995. In 2005 Stephen and his company, Sentias Software Corp., began development on Rezgo.com, a next generation Web 2.0 tour and activity booking engine for SME travel suppliers and tour operators. In June of 2007, Rezgo.com was officially released and now boasts a user base of 900+ companies. Stephen is also very active in fostering tourism technology and is co-chair of the Board of Directors of the OpenTravel Alliance, a non-profit organization whose mandate is to develop and foster messaging standards for travel e-distribution.

http://tourismtechnology.rezgo.com