Pablo Delgado8 minutes read

The necessary revolution in hotel payment-collection operations

En españolen français.

tokenisation pos

Payment-collection and refund management is a big headache for most hotels. It requires more and more time, generates direct costs and is a source of incidents and claims from clients, with the resulting chargebacks being highly frustrating.

The problem lies in the lack of tools and automations in hotel operations when it comes to receiving direct-payment bookings guaranteed by credit card. This results in unsafe manual procedures which, in most cases, do not meet the current regulation on PCI security standards.

Secure payment, also known as 3D Secure, to prevent chargebacks

Having the client’s credit card, even the CVV2 number, as a guarantee is no longer enough to guarantee payment. The high level of fraud in Internet payments added to the dishonesty of many clients have resulted in a high number of chargebacks, which generate a considerable feeling of helplessness in the industry. By direct payment, we are referring to:

  • In flexible rates, how to charge the penalty in the event of cancellations made out of time or no-shows in a secure manner?

It affects you as soon as you accept a direct-payment booking with flexible cancellation policy. It therefore affects most hotels.

Secure payment, also known as ‘3D Secure’, is the only way to charge on a credit card without the possibility of a chargeback by the client. A ‘secure payment’ implies the confirmation of identity through the use of a validation PIN number which the client always introduces on the bank’s website (never on the hotel’s website) and this, for legal purposes, is as good as if the client was at the hotel, showed his identification and signed the paper.

On the other hand, we have ‘unsafe payments’, in which the client has not validated his identity in which the client has not validated his identity and which can easily be charged back with, for example, a police report. Furthermore, the client has a deadline of around 120 days to do so, so until this whole time has passed, you cannot be sure that you will receive the money.

An added problem is that not all credit cards support ‘secure payment’ and only accept ‘unsafe payments’. At the tail end of the implementation of secure payments is almost the whole of Latin America and the United States. However, in Europe and Japan, secure payments enjoy a widespread use. Therefore, when configuring a payment gateway on your website, do it properly so that you demand ‘secure payment’ if the card supports it but also allowing ‘unsafe payment’ in order not to lose out on bookings with cards that don’t support it. Only accepting ‘secure payments’ will mean that you will lose out on bookings made by users whose cards don’t support it.

Other alternative payment methods, such as PayPal or Amazon Pay, also don’t guarantee ‘secure payment’ unless the 3D Secure option is activated when paying. If you do not do activate it, those payments will also be ‘unsafe’ and therefore the client could still cancel them.

Apple Pay, on the other hand, is an alternative ‘secure payment’ method which is at the same level as 3D Secure and therefore any payment made through this method cannot be reversed by the client. Up until this date, Google Pay is not considered a secure payment, although this is expected to change soon.

Another good and secure alternative is enabling ‘bank transfer’ as a payment method. Despite it not being a common method for Internet users, it does have its niche in certain markets and for bookings of a large amount. At Mirai, since 2015, we allow bank transfers as a payment method.

PCI Security Standards to prevent the risk of fraud in your hotel

However, the problems do not stop there. The increasingly demanding security standards, such as PCI, also force the industry to completely re-evaluate and modify their payment-collection operation.

The main credit card issuers, with Visa and MasterCard at the forefront, are putting increased pressure on banks so that they require all their clients to comply with the PCI standard. In the hotel and distribution industry, they started with those that managed a higher volume of credit cards, such as large networks, online agencies and e-commerce tools such as channel managers and booking engines.

Interestingly enough, hotels are not being requested, except in some cases, the strict compliance with this regulation and the requirements are limited to all hotel providers being certified. The reality is that few hotels comply with the PCI standard, something which has to change sooner rather than later. It is time for the hotel industry to get to work, assign the necessary budgets and be ready to make the different changes to its operations, something which is always a big problem. Hotels, like all businesses, have their inertia and routines distributed throughout their staff who, in many cases, have been working in the same way for many years. Changing the tools is easy. Changing the processes is possible. Changing the inertia and habits of the staff is always the most complicated part.

Three alternatives so you can comply with the PCI standard:

  • The first is the easiest to understand but the one that hotels struggle with the most: Having all your sales through credit channels (where they charge the client and then pay you). In this case, you do not need to comply with the PCI standard since you do not handle any of your clients’ credit cards.
  • Surreal cases aside, the second alternative is to obtain the PCI certificate with the implications it involves, of which there are many, deep and in many cases unfeasible. Some examples of this are the continuous training and recycling of staff, permanent surveillance and keeping a written register which states all activities related to credit card access (date, time, user, reason of use, etc.), the requirement to alert issuing entities in the event of any incident or security breach, annual rectification and a pertinent annual audit on top of an endless list of requirements which, due to the nature and operations of hotels, are hard to comply with.
  • The third is not having to obtain a certificate by achieving that the whole hotel operation does not use credit cards. This does not mean that the hotel cannot store their clients’ credit card because it can and it must, but always via a provider which is PCI-certified that takes away the complexity which this storage requires. It also does not mean that you cannot use these cards for charges or refunds; you can, but always using certified and adapted tools which facilitate this task and never manually operate with the card number.

How do I achieve an operation which does not access the client’s credit card at any time? By introducing a tool which automatically creates tokens for all of your clients’ cards. This tool will store all the data for you, hiding the PAN (primary account number), in exchange for a reference number (or token) which you can use for enquiries, charges and refunds.


The big question is: On which level do we integrate this tokenisation?

levels tokenisation

From our point of view, the obvious level to do so is the PMS, which is where all bookings are downloaded (as are the credit cards as guarantee). Check with your PMS to see which alternatives it can offer.

If you cannot do it with the PMS, you will have to go up a level, to the channel manager, the one who usually manages bookings from all channels towards the PMS. Check with your channel manager to see which tokenisation alternatives he can offer.

If your channel manager cannot give you a response, you will have to go up to the top and go channel to channel, with the complexity and fatigue that it entails.

  1. Up to this date, on com and Expedia, in the “Hotel Collects” mode, you can resolve the payment collections without accessing the client’s card via virtual cards, which operationally is great but also adds a high cost, up to 3% in some cases, something which puts most hotels off it.
  2. On your direct website, you have to integrate a tokenisation tool on your booking engine so that every booking which comes in automatically generates a token on which you can operate with in the future. A good alternative would be Addon Payments by Comercia Global Payments, a joint initiative with Caixabank, with which Mirai has just integrated.
  3. For bookings via phone or email, the operation must change entirely, redirecting the client at the payment stage to a robotic voice system or a secure web application to gather and tokenise the card details automatically.

How to combine payment-collection security and compliance with the PCI standard?

These are two completely different yet highly related matters, something which may generate confusion. Up to this date, most hotels use manual means to charge, which means they are unsafe and not compatible with PCI. Even if they are not directly related, the migration to secure payments and making sure that they are PCI compatible must be addressed as one project and executed with a strategic long-term vision.

In the chart below we summarise the different alternatives and how they combine with each other.

Payment alternatives

A new concept is born: parity in ‘payment-collection security and quality’

We are used to talking about parity in stock and prices between channels or even booking conditions (cancellation policy and payment method) but we have never talked about the different between channels of chargeback risk or its PCI compatibility.

In other words, direct-payment OTAs ( and Expedia “Hotel Collects”) generate more costs and risks that the mere commission.

  • They do not guarantee the absence of chargebacks (since the payment is unsafe).
  • They do not facilitate compliance with the PCI standard.
  • Their alternative to solve both problems, the use of virtual cards, substantially increases costs to the point where it is unacceptable for hoteliers.

If, however, on our direct channel we can automatise payment collections (which would also save the staff a lot of time) and make them secure via secure payment gateways that tokenise all cards, all of which without increasing the costs, shouldn’t the direct channel have a competitive advantage in price over OTAs? At the end of the day, your website bookings are more secure, more profitable and more compliant with the PCI standard than if they come in via OTAs. Shouldn’t you favour them with a better price for the client?

It is bad practice to implement a secure payment gateway on your website and leave this same rate open on (even if it is non-refundable, since the payment collection will be unsafe and manual at the hotel) whilst maintaining price parity. If you do it, make sure that the rate published on the website is more competitive than the one on, passing on part of the profit that it brings you to the client who chooses your website over all other channels.


The payment-collection operation in hotels and the compliance with security measures are not attractive subjects, especially for the hotel sales teams. Nevertheless, they are very important, in particular for the financial and operations departments.

There is still a lot of work to do and many tools to change or add. It is time to start thinking about how to address all of this transformation and make the most of it so that it benefits the hotel’s interests before the banking requirements grow and the restrictions they apply become unacceptable.

The world is undergoing a revolution in payment methods, particularly those which revolve around mobile phones. The big fish are making a move and the banks are shaking. Right now, you have the chance for your direct sales to be a step ahead, for now.

Leave a Reply

One thought on “The necessary revolution in hotel payment-collection operations

  1. Great article. I only have a small addition on the part where you mentioned to retrieve virtual credit cards: In terms of virtual credit cards provided by the channels, you have to be careful. Because there are two approaches. If the channel provides a single-use VC, than PCI DSS compliance is not mandatory. Even though, the card schemes still advice to comply with PCI DSS. If the channel provides a multi-use VC, PCI DSS compliance is mandatory. So it’s a bit squishy and if you have a tokenization partner, let them tokenize the virtual cards as well – so you are on the safe side. Do you agree?