Travel Payments Integration: Hands-On Experience with Solutions for OTAs and Other Resellers
More than two-thirds of travel and tourism sales are made via the Internet, and the share of online vs offline bookings will only grow in the coming years. So the ability to accept online payments is becoming vital for any travel business. In this article, AltexSoft shares its expertise in the implementation of different payment scenarios. We’ll also discuss key tools and concepts to be aware of when starting an integration project.
Payment essentials to keep in mind when accepting credit cards
Before diving into details, we want to briefly outline the questions you’ll inevitably have to ask yourself during the integration process. The answers will largely impact the security infrastructure to be built, the payment tech stack, and the overall effort to be put into the project. We’ll walk you through
How to stay PCI DSS compliant. The first thing to keep in mind when you go into eCommerce is PCI DSS compliance. Standing for the Payment Card Industry Data Security Standard, it’s a set of technical and operational rules devised by the five major card brands (MasterCard, Visa, American Express, Discover, and JCB International) to protect sensitive customer information.
Travel companies try to reduce PCI DSS scope by using third-party services and thus eliminating their interactions with sensitive information.
“OTAs integrate with payment gateways and tokenization tools to outsource as much data security headache as possible,” Ivan Mosiev, a Solution Architect engaged in many travel projects at AltexSoft, explains. “Ideally, cardholder information shouldn’t touch your backend systems at all. If it travels through your server, you’ll inevitably face a more complex certification process, with more investments in infrastructure required. To store sensitive data, you need additional security policies and measures like restricted physical access to servers.”
To be or not to be a merchant of record. Another factor that will largely impact your payment and data security stack is whether you act as a merchant of record or not.
A merchant of record (MoR) is a business entity that actually sells products to end customers. It handles financial transactions, maintains a merchant account to collect online payments, takes care of taxes, processes refunds and chargebacks, ensures fraud protection, and more. In other words, an MoR manages the entire sales process, with its name appearing on the credit card statements received by a customer.
You can handle payments yourself — however, many travel resellers prefer to trust these responsibilities to other players. “It’s common for the travel industry when an OTA isn’t a merchant of record and doesn’t process payments itself,” Ivan Mosiev confirms. “Instead, it forwards cardholder data to an airline or hotel, which serves as an MoR: It withdraws money from a customer’s card and then pays a commission to the OTA.”
Which payment gateway suits your travel business best. If you choose to be a merchant of record, you need to integrate with a payment gateway — a service that provides a secure infrastructure to process online transactions. Read our articles on payment gateway integration and online payment processing to understand how these services work.
How many payment flows you have to to implement. The more travel suppliers you want to deal with as a merchant of record, the more payment scenarios you’ll need to build around the gateway integration.
Now, let’s explore each issue more thoroughly and try to elaborate on the right ways to address them.
Travel business and PCI DSS compliance levels
In 2017, the International Air Transportation Association (IATA) declared that their internal electronic system — Billing and Settlement Plan (BSP) — is compliant with PCI DSS. The organization also made it mandatory for all IATA-accredited travel agents to adhere to the security standard. Yet, PCI DSS applies even to small, non-IATA travel companies — if they accept, transmit, or store payment card data.
Ignoring data security standards may result in fines from payment processors and credit card companies, which range from $5,000 to 100,000 a month, based on the business size as well as on how long and to what extent you remained non-compliant. Of course, adherence to PCI rules doesn’t guarantee 100 percent data security — however, should a data leakage occur, the penalties will be significantly lower or eliminated if your compliance is impeccable.
What exactly must you do to satisfy PCI requirements? It largely depends on the number of transactions your business processes during the year. By this parameter, all merchants are divided into four levels.
Four levels of PCI DSS compliance.
Level 1 covers businesses handling more than 6 million Visa, Mastercard, or Discover transactions, more than 2.5 million American Express transactions, or more than a million JCB transactions. It can be, for example, large online travel agencies (OTAs), international hotel chains, and major full-service and low-cost carriers (LCCs). A company will also be consigned to this strictest compliance level if it has recently experienced a data breach, regardless of transaction volumes.
To achieve Level 1 compliance, you must
- conduct quarterly vulnerability scans, involving approved scanning vendors (ASVs);
- have an onsite audit done by an external auditor who will prepare a Report of Compliance (RoC); and
- complete an Attestation of Compliance (AoC) form.
Businesses that fall under all other levels don’t need to invite third-party auditors for annual onsite checks. Instead, they file an appropriate Self-Assessment Questionnaire (SAQ) that helps companies validate their compliance with PCI DSS.
Level 2 is for one to six million Visa, Mastercard, or Discover transactions, 50,000 to 2.5 million AmEx transactions, or fewer than a million JCB transactions. These volumes are usually handled by medium OTAs, tour operators, etc. The compliance entails doing quarterly vulnerability scans and completing SAQ and AoC forms. Sometimes they also must have an RoC issued.
Level 3 ranges from 20,000 to one million Visa, Mastercard, or Discover transactions or fewer than 50,000 AmEx transactions annually. This can be the case for travel startups or local vacation rental management companies. They still undergo quarterly scanning by an ASV, complete an annual SAQ, and submit an attestation of compliance.
Level 4 relates to less than 20,000 Visa or Mastercard transactions, typical for boutique hotels and home-based travel agents. The validation typically involves quarterly network scans by an ASV and completing an annual SAQ and AoC.
As you can see, JCB has only two merchant levels, Discover and AmEx stop at Level 3, and only Visa and Mastercard maintain Level 4. There can be other differences in requirements across card brands and banks which add to the overall complexity of achieving compliance.
We’ll discuss solutions for securing data later. Note that third-party tools only cut your risks of data exposure. They don’t completely excuse you from PCI DSS but can become a part of your compliance strategy.
Merchant of record role in travel
To be or not to be an MoR? That’s the question you have to answer, considering all pros and cons of each option.
You’re not an MoR: Fewer responsibilities, less control
If you choose not to be an MoR, it dramatically simplifies the payment flow on your side. You don’t need to set up and maintain a merchant account, integrate with a payment gateway, and build complex business logic. Once a traveler enters credit card details on your website, they’re automatically resent to a merchant of record, be it a hotel, airline, or travel aggregator — typically via GDS — for processing. On the dark side, you have limited control over prices, and sometimes it takes weeks, if not months, to get your commissions paid.
Payment process for an OTA that is not a Merchant of Record.
Note that even with MoR duties outsourced, you remain subject to PCI DSS — since you still receive and transmit cardholder data. Besides, in some situations, you can’t avoid storing sensitive information — at least for a little while.
For example, during the traditional flight booking process, there is a time lag between the moment a traveler makes a reservation (and consequently enters payment and other details) on your website and the trip is bought. In between, an airline reservation system creates a passenger name record (PNR) that is mandatory to enable ticketing. In the meantime, the OTA may keep card information to pay a fare once the PNR is ready.
Watch our video to understand better how flight booking unfolds.
Traditional flight booking: steps and systems involved.
Another scenario we came across in our practice is when an OTA stored payment details to charge extra fees. This may happen when an airline, hotel, or air consolidator, which acts as an MoR, restricts commission rates. If your travel agency wants to earn more on a particular product, you can set an additional markup, name it a service fee and withdraw it outside the main payment flow, not via your merchant of record. But, as we said before, it entails storing card information.
Tokenization services: Why use them
Instead of storing cardholder data within internal systems, travel businesses can partner with a tokenization provider to reduce PCI compliance scope.
Payment flow for a non-merchant of record involved a tokenization provider.
Such services work as follows:
- replace credit card info with a unique identifier — a token — once a customer fills out a payment form on the website;
- return a token associated with the card to a travel platform;
- store credit card details in their encrypted databases; and
- upon request of the token holder, forward actual payment data to a GDS, airline, or other destination.
In some cases, a tokenization service can send actual payment data back to the travel platform — in exchange for a token. Yet, this step is risky from a security point of view, so it’s better to avoid it. The point of using tokenization is that you host tokens only while sensitive details — such as a card number, expiration date, or CVV code — never make their way to your server.
Below is a list of several systems we tested when working on travel projects — but of course, there are many other available options that may suit you better.
TokenEx can gather sensitive data from OTAs, booking engines, and third-party loyalty programs through the batch process or in real-time via API integration. In the latter case, an iFrame (inline frame) is embedded into the card form layout on your website to instantly capture payment information and convert it into tokens that you can store internally. When you need to transmit payment details, you just send a token and its destination to TokenEx, which forwards the related data to the endpoint.
PCI Proxy is another reliable tokenization solution that collects and stores sensitive info in its secure database to reduce the cost and hassle of PCI compliance. The platform is a part of Datatrans, a Swiss payment service provider for online shops, mobile apps, and social media. Among its clients are the leading German OTA HolidayCheck, the flag carrier of Switzerland SWISS, the Spanish hotel wholesaler Hotelbeds, and others.
Spreedly, a payment orchestration platform, lets businesses securely store credit card information in a PCI 1-level compliant vault and also connects them to a network of 120 global gateways and payment service providers via a single API. In our practice, we integrated Spreedly with a hotel booking platform to guarantee PCI compliance when booking rooms via the Sabre GDS platform.
You’re an MoR: Be the master of your payments
Now, let’s consider the situation when a travel agency decided to be its own MoR. By doing so, the company grabs greater control over pricing since it can easily add markups itself without the mediation of an airline/hotel or building an alternative payment process. Besides, the MoR receives money from customers almost immediately after purchase instead of waiting for service commissions to be reimbursed by suppliers.
Payment process for an OTA that is not a Merchant of Record.
As regards the additional challenges and responsibilities, an MoR must
- run a merchant account to collect payments;
- take charge of taxes, refunds, payment disputes, etc.;
- integrate with a payment gateway that provides a secure infrastructure to accept transaction data and send it to a corresponding financial institution (this way, an MoR outsources most of the PCI DSS compliance burden); and
- build rather complex payment flows.
“The role of MoR works better for companies with large sales volumes,” Ivan Mosies argues. “Yet, it comes at a price: A gateway charges service fees for each transaction. This adds to the price of your offer, making it less competitive — and leisure travel is extremely price sensitive.”
Also, when a refund occurs (say, if an airline cancels a flight), the gateway won’t give back the money you’ve already paid for its services. “That’s why OTAs are enormously interested in running their internal payment options — such as e-wallets,” Ivan Mosiev says. “They can offer customers two options: transfer a refund to the wallet right now or return it to the credit card in a month after a bank processes the payment. Customers who chose the first scenario can purchase the next travel using the e-wallet money while the OTA will save on service fees.”
If, despite all the extra expenses and challenges, you still want to become an MoR, it’s time to proceed to choose the right payment gateway.
Payment gateway in travel: Popular options and selection criteria
There are several major things companies should consider when selecting a payment gateway. Note, though, that the questions to be answered are not travel-specific and apply to any eCommerce business.
How much will it cost you to process a payment? This is probably the first question that comes to mind regarding gateways. Service providers can charge a fixed fee per transaction, a percentage of the product price, a percentage plus a fixed fee, or a percentage that must be no less than a particular value. Also, sometimes there are setup and monthly fees.
Which currencies and payment methods does a gateway support? If your merchant account is open, for example, in Saudi Arabia, your gateway must be able to work with Saudi riyals (SAR) and convert other currencies into SAR so that you can pay local contractors. Also, check if the provider accepts payment methods preferred in the regions where your clients live — like local e-wallets, national credit cards, bank transfers, and so on. Short-term credits, known as buy now pay later, are gaining traction in travel, so if your gateway supports such payments, it can be a big advantage for you and your customers.
What fraud prevention tools does a gateway leverage? Carefully examine how a payment gateway spots and blocks suspicious activities and illegal transactions. Which risk-scoring tools and lockout mechanisms are available? Does the platform use machine learning for fraud detection? “Keep in mind that if the money is illegally charged on your website, you’ll be involved in a fraud investigation and have to prove that you’ve done everything possible to secure your customers from scams,” Ivan Mosiev warns.
How to fight financial fraud with machine learning.
How good is technical documentation? Pay special attention to a gateway’s technical documentation. Ideally, it should be public — in other words, you needn’t sign a contract to look through it. “Public availability typically means that the payment system is stable and easy to integrate with,” Ivan Mosiev explains. “Private access, on the contrary, may signal the poor quality of API documentation, which will result in a painful and time-consuming implementation process.”
With all the above-mentioned in mind, let’s overview a couple of payment gateways we personally worked with (but it doesn’t mean that they will be the best fit for you). All of those providers maintain modern REST APIs, SDKs for different programming languages, and detailed, publicly available documentation. As a result, we faced no technical problems with integrations.
Also, needless to say, the gateways are certified as Level 1 PCI DSS service providers. So we’ll concentrate on other parameters — pricing, currencies and payment methods supported, focus markets, fraud detection technologies, and the pool of partners from the travel industry.
How payment gateways differ from each other.
Stripe: Airbnb payment partner with support for Buy Now Pay Later
Founded in 2010, Stripe has a presence in 46 countries, accepting payments in 135 currencies. The Irish-American finance SaaS platform mostly targets North American and European markets. But it also works with China UnionPay and Japan Credit Bureau (JCB) international cards as well as Asian digital wallets and payment methods — Alipay, WeChat Pay (China), FPX (Malaysia), PayNow (Singapore), GrabPay (Southeast Asia), and more. Stripe supports Buy Now Pay Later payments provided by Affirm, Afterpay, and Klarna.
Stripe’s fraud detection tool, Radar, spots and blocks scams using an ML algorithm trained on data from millions of transactions. Using it adds 5 cents per screened transaction to a basic Stripe fee — 2.9% + $0.30 per successful payment. On the bright side, the gateway doesn’t charge setup or monthly fees.
Stripe serves many travel platforms — for example, Navan (the corporate travel and expense management services formerly known as TripAction) and WeTravel (the booking and payment solution.) In May 2023, the platform partnered with Airbnb to provide guests with more payment options and the ability not to re-enter card details for each booking.
At the same time, the fintech giant regards some travel businesses as posing increased financial risks — namely, airlines and cruises, timeshares, and travel reservation services and clubs. “For companies from those categories, it might take more time and effort to certify the Stripe integration and go live with it,” Ivan Mosiev explains.
Checkout.com: A European platform with a strong focus on Asia and the Middle East
Checkout.com, the most valuable European fintech startup, is headquartered in London and available in nearly 50 countries globally. Yet, its story of success started in 2009 in Singapore, where the company initially processed payments for businessmen from Hong Kong.
Even after relocation to Great Britain, the platform preserves a strong focus on Asian and Middle East markets, partnering with Alipay and six other Asian digital wallets as well as with three Middle East card networks and Egyptian e-payment solution Fawry.
AltexSoft gained a hands-on experience with Checkout.com when modernizing an OTA from Saudi Arabia (you can find details of this partnership in our case study). Another Saudi client of the platform is Seera Group. Their choice is no surprise since the gateway offers easy integration with regional payment methods — like debit cards Mada in Saudi Arabia and KNET in Kuwait.
The gateway is also popular among European travel businesses — such as Etraveli Group, a flight-centric OTA based in Sweden, a Dutch-French micromobility company Dott, a Spanish hotel booking engine Mirai, and others.
The platform comes pre-built with Fraud Detection Pro, which uses machine learning to identify suspicious behavior. But you can also add your own rules to fight scams. As for pricing, it’s available on request and will depend on various factors.
Authorize.net: Number one choice of US-based small and middle businesses
Authorize.net has been providing credit card processing services to small and medium-sized businesses since 1996. Now one of the US’s most popular payment gateways is owned by Visa, the world’s second-largest card network (after China UnionPay).
Compared with Stripe and Checkout.com, the platform has a modest portfolio of currencies (12) and payment methods. Besides major card networks (Visa, Mastercard, Discover, AmEx, and JCB), it supports eChecks (digital versions of paper checks, also known as direct debits) and two global digital wallets — PayPal and Apple Pay.
The platform works with companies located in the USA, Canada, and Australia, allowing them to accept payments from around the world. Among its clients from the travel industry are several providers of tour operator booking software — Rezdy (Australia), Rezgo (Canada), and US-based Xola and Softrip.
Authorize.net offers businesses two pricing plans: a payment gateway with or without a merchant account. If you don’t have one, the company can set up and maintain it for you. Both plans come with an Advanced Fraud Detection Suite that leverages 13 filters to prevent illegal transactions.
Qualpay: A simple all-in-one solution for small US companies
Qualpay is a payment processing platform founded in 2014 in California. Similar to Authorize.net, it combines a gateway and merchant account in one integration and also can work as a tokenization service storing payment details in Customer Vault. It’s a simple, all-in-one solution for small e-commerce businesses located and operating in the US. In our practice, we integrated Qualpay with a self-service booking platform for closed user groups.
Qualpay works with major global cards, Google Pay, and ACH bank transfers, which are popular in the US. It accepts all currencies supported by Visa and Mastercard (150+ total), converting them into US dollars before placing money in a merchant account.
The platform has no separate fraud detection tool. It offers only basic settings which enable you to block duplicate transactions and specific IP addresses, reject transactions if their number falls behind or exceeds the predefined minimum/maximum, and disable payment processing for a specific timeframe.
Payment scenarios to take into account
As we said, integrating payment gateways is not that complex — provided that they offer modern APIs accompanied by detailed documentation. The most challenging part is building business logic around those integrations. Payment flows can be diverse and intricate, so we must explore and implement all possible scenarios.
Travel payments with debit and credit cards
If you want to accept both credit and debit cards, it may entail two different flows — even when using a single payment platform. After booking, a credit card payment is put on hold until an airline or hotel checks the availability of a seat or room. On confirmation, the blocked money will be charged. Otherwise, the sum remains in your customer’s account.
But with debit cards, it’s an entirely different story. In this case, a transaction happens instantly upon reservation. If a supplier says “no” to the booking, you automatically get involved in refund issues. You lose on fees, commissions, and currency exchange rates — not to mention your customers have to wait for a refund to be processed to have their money back.
Losses associated with debit cards can be immense in markets where this type of payment dominates over others. It primarily concerns the Middle East since Islam, the region’s most followed religion, doesn’t approve of credit cards, and the majority of transactions are made with debit cards. For our partner from Saudi Arabia, we created a separate, rather complicated flow involving tokenization and an internal digital wallet to prevent painful chargebacks.
Flight payment flows
Flights are associated with at least two different payment processes. In the case of full-service carriers, booking (when a seat is reserved) and ticketing (when the seat is paid for) are separate operations with a time lag between them. Besides, the transaction must be processed by IATA’s BSP or its US analog, Airline Reporting Corporation (ARC.)
Read how BSP and ARC work in our dedicated article.
Low-cost airlines, on the other hand, adhere to immediate ticketing — meaning that they confirm a booking and charge a customer’s card almost instantly, bypassing BSP or ARC. If an OTA sells LCC flights, it results in building an additional payment flow.
“For example, Amadeus maintains separate sources of GDS and LCC content,” Ivan Mosiev shares. Since LCCs practice instant confirmation, we must pay the fare before making a booking. If the reservation is not confirmed, it entails a refund procedure. In this scenario, an internal wallet comes in handy. Instead of beginning the long and complex refund process, we may keep the money charged for the ticket in the wallet and use it for rebooking.”
NDC payments and ancillaries
The wider adoption of new distribution capability — NDC — by airlines and flight distributors poses new challenges in terms of payment processing. One of the biggest promises of NDC for carriers is the ability to sell ancillaries via third-party platforms.
Yet, there is still no way to add a ticket and all extra services and products to a single receipt. Instead of one big transaction, you make several smaller ones. Instead of one unified document, you deal with at least two proofs of payment — an airline ticket and an Electronic Miscellaneous Document (EMD) for ancillaries.
There is hope that the One Order initiative will tackle this problem, enabling all flight components to be present on a single document per passenger. Maybe, sooner or later, industry players will reach a complete agreement on this question.
Until then, OTAs and their tech partners have to sort out difficulties generated by multiple transactions and various ways airlines charge for ancillaries (at the time of booking, after the flight is booked, or even after the ticket is issued).
Hotel payment flows
Hotels generate even more payment flows than flights since each property and bed bank may follow its own rules and cancelation policies. Some bookings are non-refundable, with money instantly charged. Others are partially refundable: A property collects the payment but returns a certain sum if the reservation is canceled. The amount of refund, in turn, depends on the number of days remaining before the expected arrival.
Often, hotels ask for access to a customer’s credit card details to make sure that they won’t lose their money. In this scenario, the OTA acts as a guarantor of the deal with a guest. Accommodations can charge a cancelation fee or a full room price in case of a no-show. The card owner, in turn, may settle the bill with cash or a hotel POS system upon arrival. The OTA will receive its commissions only after the guest’s checkout.
To sum up, “sometimes, OTAs transfer money to the hotel immediately. Sometimes, they just tokenize and store payment details to charge the card later…” Ivan Mosiev explains. “We have to take into account and program all these variations on an OTA’s side.”
Read our article about hotel online payments to understand how hotels can streamline payment processing on their side.
The less you know, the better you sleep
The larger an OTA, the more payment scenarios it must support to cover a wide range of suppliers. At the same time, smaller agencies that outsource MoR responsibilities to third parties needn’t worry about miscellaneous, complex flows. All they have to do is to collect card data, transfer it to the merchant of record, and wait for commissions to be paid (which can take weeks or even months). Yet, even in this case, you need to take care of PCI DSS compliance and use tokenization services. The rule of thumb here is “The less you know about a credit card, the better.”