Guides
OpenAPI SpecHolidu WhitelabelsPartner PortalHolidu

Credit card payment through PCI proxy

Suggest Edits

If you are onsite bookable on holidu, it is possible for us to send you credit card information from the customer directly in the booking notification. Holidu itself is not PCI compliant, but we are working closely with a payment provider and are able to send you the credit card information through a PCI proxy.

📘

Reqirements

In order to receive the credit card informations from customers you need to proof that your endpoint is PCI compliant. Only if you send us an AOC (Attestation of compliance) and either a letter of Acknowledgment or an extract of the terms and conditions which proves the PCI DSS compliance of your endpoint, we can add you as receiver.

Booking notification with Credit Card information

The booking notification with the credit card information is similar to the current booking notification, it just holds the additional creditCardData object.

❗️

Please note

You are not allowed to charge more money to the customer than written in the booking notification, since the customer books under those conditions. In case the price written in the booking notification does not match the price in your system, please reject the booking immediately.

{
 "bookingId": "eacf97a4-cba2-4db1-8c02-d69306fc369f",
 "externalId": "PROVIDER-623730",
 "arrival": "2018-12-07",
 "departure": "2018-12-10",
...
...
"paymentMethod": "CREDIT_CARD",
...
...
"creditCardData": {
    "ccNumber": "4242424242424242",
    "cvv": "422",
    "ccType": "VISA",
    "cardHolderName": "Test Card",
    "cardExpiryDate": "08-2022"
  },
"brand":"HOLIDU"
}

Implementation of the PCI proxy

Holidu is PCI compliant via a partnership with Datatrans. From a very high level, we need to send all the booking notifications containing credit card data through a PCI proxy which adds the credit card data to the notification, before sending them over to you.

❗️

If you use IP whitelisting you need to add

193.16.220.0-255
91.223.186.0-255

to the list, since these are IP addresses are used by our PCI proxy.

You are still fully responsible for handling the payment with the customer and also the response to the booking needs to be the same. You need to be able to immediately give a response if the booking is either CONFIRMED or FAILED, no other status (e.g. Pending) is possible.

Data flow

521

Updated about 3 years ago