New features and benefits for Webervations products

May 4, 2009 13:39 by Ben

Austin, TX– Less than four months after the successful transition of the Webervations system, RezOvation is pleased to announce a sweeping set of product enhancements for Webervations 1.0. First on the list, the encryption methods used on all credit cards entered into Webervations have been extended and upgraded to provide a much greater level of security, on par with that used by BedandBreakfast.com and RezOvation GT and Desktop products. A number of additional security procedures were put in place, including the removal of access to credit card information through direct or unencrypted links. Innkeepers can rest assured that their data is now safer than ever --- another step taken to protect the industry from potential theft and fraud.

To add to the security features, effective immediately, Webervations will no longer be accepting or storing CVV or CVV2 numbers as per the PCI compliance guidelines. PCI regulations expressly prohibit the storing of CVV numbers for viewing. Any system that provides this feature to innkeepers is in violation of PCI regulations, and innkeepers who use systems that provide this feature should know that they can be held liable for using non-compliant systems. RezOvation is committed to ensuring that innkeepers have a system that enables them to have both the best security, as well as one that clearly follows PCI guidelines. By the end of May, a new Webervations feature will enable users to customize their credit card retention policies. Innkeepers will be able to choose how long they retain credit card data – they can delete it immediately after a booking is processed or retain it until a guest checks out. This auto-delete functionality is similar to functionality that has been very well received by RezOvation GT users. Innkeepers can hold onto sensitive data as long as they wish; all sensitive data can be deleted automatically based on their specific settings.

Webervations users who are also BedandBreakfast.com members will also be delighted by another new feature: Webervations can now be used to manage rates and inventory, and receive reservations directly from BedandBreakfast.com, Expedia, hotels.com, Kayak, Sidestep, Nextag, and coming this fall, Travelocity! BedandBreakfast.com recently signed an agreement with Travelocity to feature BedandBreakfast.com bookable properties on Travelocity websites, moving one step closer to the goal of getting B&Bs sold on every major online travel directory through a system that is easy for innkeepers to manage. Rates and inventory automatically synchronize across all systems, and reservations show up immediately in the Webervations system. It takes only a few minutes to set up the new feature, and customers who already use the BedandBreakfast.com Online Reservations program can easily switch over and use Webervations for management instead of the BedandBreakfast.com Online Reservations Manager.

Additional improvements to both Webervations 1.0 and 2.0, as well as to RezOvation GT are planned for the summer months and will be announced as soon as they are ready.

Tags:
Categories: Webervations
Actions: E-mail | Permalink | Comments (9) | Comment RSS RSS comment feed

Bookmark and Share

BedandBreakfast.com offers a host of new products and features for innkeepers using RezOvation and Webervations servicesBedandBreakfast.com, the leading specialty travel website focused on inns and B&Bs, on Friday an...RezOvation announces the acquisition of Webervations We're excited to announce that we have just completed the acquisition of Webervations, the lea...Webervations Server Transition Scheduled for Thursday, Jan 15 As part of the Webervations transition process, we are moving the Webervations servers to our high...

Comments

May 5. 2009 05:05

So it's 7am here in England - around midnight over with you. It's day 1 of these changes. I've just updated my system and there's a booking from Canada. There's no CVV number supplied (or "security code" as we call it) by Webervations so I can't process the booking.

So what am I supposed to do? Ring the guest up and get him out of bed in the middle of the night to ask him for information he has already supplied on his online booking form but which I'm not allowed to know?!!

How can we process credit card payments without the card information we need?

Is this another well intentioned but flawed change (such as the server move to Texas), designed to make our hectic lives even more problematic or have I missed something?

Tim Edwards

May 5. 2009 09:38

We have recieved a booking via webervations and can not now process or accept this booking without our contacting the customer by telephone.

I think some thing is wrong here, I am makeing purchases on line regularly and I accept that I need to give the CVV number out on my card to enable suppliers to take payment from me.

How are we to process our bookings without the CVV number

To have to call each guest individually is not the answer, please can we have this issue looked into again

Michael Lawson

May 5. 2009 17:50

@ Tim @ Michael -- unfortunately this is a situation where we don't have any choice but to not accept / store the CVV number, as it's against PCI compliance rules. If your processor requires this data, you will, unfortunately, have to contact the guest for it. Any site that takes your security code online is either a) passing it right to a credit card payment system and then processing the payment immediately, and not storing the number, or b) storing it illegally.

It is certainly not our intent to make your lives harder and I do apologize for any trouble. We are concerned about security and what we are doing is ensuring that credit card data is kept safe and data that could compromise you or a guest is stored safely. Most innkeepers we talk to are relieved that we have made this change (we hear from innkeepers all the time that they are worried about security and credit card data in particular), and I'm sure any guests booking on Webervations will appreciate this as well. Credit card fraud is a serious and growing problem, and this change was necessary and important to protect you and your guests from fraud. - Ben

Ben

May 6. 2009 05:07

Unbelievable!  There must be another way!  You guys have just  just managed to take away the number 1 benefit of Webervations at a stroke and dresed it up as a "sweeping set of product enhancements".  You've dumped the problem on your clients,  leaving us at the start of the our big season to get guests on the other side of the world out of bed to ask them for information they've already supplied!

I've been with Webervations for years and my bank are very happy with my data storage system.  CVV's are used once for their intended purpose and then destroyed.  Where's the problem?

Most holiday home/ lodge/ vacation rentals - and a good number of B&B's and inns - work on a reservation request system where we receive booking requests 24/7 and then process them when we're next at our desk.  We are now completely unable to do this as we can no longer process the payment without speaking to the guest directly to get their card CVV.  So they might as well have telephoned to book and by-passed Webervations altogether!

Please have another look at this rather than just give in.

Tim Edwards

May 7. 2009 21:38

Tim -- unfortunately the security regulations are clear -- CVV codes can never be stored under any circumstance, even if it is only temporary. You can take the number over the phone, or if you have a booking system that is hooked right in to a payment processor, that data can be passed to the processor -- but it simply can't be stored. The full requirements are here - www.pcisecuritystandards.org/.../pci_dss.shtml - read page 4 and 22 for details on CVV codes. I think if you asked your bank whether they are OK with a third party system like Webervations storing this data, they would not be thrilled -- and would tell you to use something else lest you risk be fined for non-compliance. This a very real problem, and there are many small businesses that have seen heavy fines due to non-compliance or because they were compromised and didn't do anything to protect sensitive card data. Read this for an example of some small businesses that have paid upwards of $30k in fines due to security issues: online.wsj.com/.../SB119042666704635941.html

Also -- a lot of processors will exempt you from needing the CVV code. In particular, Visa Europe has an exemption specifically for lodging properties. Take a look at this: www.elavon.com/.../FAQ_CVV2%5B1%5D.pdf. Specifically --
Question: Can I be exempted for the use of CVV2
Answer: Yes, Visa Europe recognises that some merchants will be unable to comply with this mandate as their business model would require storage of CVV2 data, which is prohibited under the PCI DSS rules. These merchants are therefore excluded from this mandate. This will primarily affect, but is not limited to, the merchant sectors below where transaction processing relates to account on file transactions and transactions where the final amount is not yet known at time of authorization:
· Recurring and installment payments
· Hotels/Lodging
· Car Hire
· T&E deferred or amended charges
· Health care incidental expenses
· Account on file CNP transactions
· Split transactions e.g. holiday deposits
· Business travel agents
Generally in these instances, CVV2 cannot be present beyond the first transaction because merchants, as a result of the data security rules, will typically not have CVV2 details available to them for subsequent CNP transactions.

Ben

May 7. 2009 21:56

Sorry, the evalon.com link is broken. Go here: www.elavon.com/.../card-security.aspx and click the link for CVV2 FAQ.

Ben

May 9. 2009 17:31

By issuing a detailed email (Saturday 9th May), thank you for at least (and at last) recognising that your actions have caused major problems for your previously loyal clients.

What is really annoying - and what you could have so easily have avoided - is that you gave us ABSOLUTELY NO NOTICE that you intended to do this. On your own admission, full compliance with the new procedures is not required until 2010, yet you decided to introduce the CVV changes immediately without any advance indication or warning. Indeed as I write this Webervations still requests CVV numbers and helpfully explains what numbers have to be input by guests. This information is then being sent to you but not to us! So, we're having to call our guests to explain that Webervations is still asking for CVV numbers but isn't passing them on. How incompetent we are all made to look! If we had say 3 months notice, we could have explored alternatives, such as requesting CVV exemption from our banks. It would have also given you chance to change how Webervations looks, so it didn't request CVV numbers as it still does at the moment!

Please do not now make matters worse by your next tranche of changes. Whilst you're main market is the USA, cards are worldwide and in Europe for example, have different names. For example, we don't have "Discover" cards. In Europe it's called "Maestro". "Master Card" is "MasterCard" here (one word, capital "C" in the middle) and the differences list goes on. Also note that "CVV" and "CVV2" means nothing in Europe. Here, it's commonly known as the last 3 digits from your "security code"

Tim Edwards

May 10. 2009 14:44

Tim - I agree that we should have been more upfront with this change, and going forward we will make sure that we are giving as much notice as we can on significant changes.

As of Monday night, we will be removing the security code field from the checkout pages, which should eliminate any confusion there.

Security codes have been against PCI regulations for a few years, and to be perfectly honest this change should have been made years ago.  We've never stored CVV codes with our RezOvation property management software, and Webervations should have been doing the same thing.  It is actually against regulations at this point to store security codes, and anyone doing so can be subject to fines -- that really has nothing to do with the 2010 deadline.  What happens in 2010 is that all "service providers" and "payment applications" (which includes Webervations, RezOvation PMS software, and everyone else in the B&B market) will have to *officially* certify as PCI compliant by going through a rigorous third party audit.  Right now, you can "self-certify" which honestly really means nothing -- plenty of companies have self-certified as PCI compliant (including a few in the B&B space) who are not actually PCI compliant.  Some of those are storing security codes.  So the fact is that we had to make these changes as soon as we could, because it is not acceptable to put our customers and our company at risk.

We'll make sure that we support all necessary credit card payment types. Differences between "Master Card" and "MasterCard" are for example negligible, in fact it is officially "MasterCard" in the US as well ... some folks just add a space.  As for Maestro and other credit card types, we can easily add support for those, and will also have an "Other" payment type which can be customized to read whatever you wish.

Ben

July 18. 2009 14:22

I see u are using BLogEngine from microsoft on this website - Looks absolutely excellent. I conclude it will be a approved alternative to wordpress. Thanks for letting me comment on your attractive blog by the way. Regards, Martin.

The Linden Method

Comments are closed

New features and benefits for Webervations products

Search

Categories