Supplier refusing to decrypt data in our own database. Help!
Discussion
beanbag said:
I appreciate what many of you are saying but we've looking into 3rd party solutions. There aren't many options and we don't want what they have to offer for the following reason:
- Price. The resort is a mature timeshare complex so it's not just holiday rentals. The moment you add timeshare to the equation, things get expensive. We are a very small family business. 9 employees (4 of them cleaners) and just under 40 apartments. The minimum cost is well over $10k for the first year, and then over $5k per year thereafter. In other words, it would push up the IT budget by triple which is unaffordable. (All the 3rd party solutions we contacted start with products that can support 100 units or more. Since we're just 40% of that, we end up paying more and none will negotiate on price).
- Complexity. The card data will be hashed and only the company administrator will have access to the private key. Under Spanish law, the administrator is allowed access to card data and is ultimately responsible for it. No employee will have access to real card data (unless they are entering it manually which they must do). Most hotels will not do this. Next time you check in to a hotel, (especially abroad), have a look at the number of times they photocopy your passport / license and leave your booking.com reservation letter available on the desk. It'll have your full payment details (card number and all), on display.
- API integration. Most suppliers will offer API integration with booking.com or expedia, etc, etc...but not all so you end up having to choose. We want to integrate all 3rd parties that we work with, plus this would mean no employee would ever have to touch a credit card number (unless it's a reception or phone booking).
- Finally, coming back to the price, if you tie yourself into a product it costs a fortune to leave. Set-up costs, training, integration and you never own the software as it's all cloud based.
Anyway.....we're well into development already so it's all good....
He's not wrong. I put one in a 44 bed hotel last year at £30k with £8k pa maintenance. That's not including timeshare but does have Epos for bar and restaurant, PCI & API to all the major booking sites.- Price. The resort is a mature timeshare complex so it's not just holiday rentals. The moment you add timeshare to the equation, things get expensive. We are a very small family business. 9 employees (4 of them cleaners) and just under 40 apartments. The minimum cost is well over $10k for the first year, and then over $5k per year thereafter. In other words, it would push up the IT budget by triple which is unaffordable. (All the 3rd party solutions we contacted start with products that can support 100 units or more. Since we're just 40% of that, we end up paying more and none will negotiate on price).
- Complexity. The card data will be hashed and only the company administrator will have access to the private key. Under Spanish law, the administrator is allowed access to card data and is ultimately responsible for it. No employee will have access to real card data (unless they are entering it manually which they must do). Most hotels will not do this. Next time you check in to a hotel, (especially abroad), have a look at the number of times they photocopy your passport / license and leave your booking.com reservation letter available on the desk. It'll have your full payment details (card number and all), on display.
- API integration. Most suppliers will offer API integration with booking.com or expedia, etc, etc...but not all so you end up having to choose. We want to integrate all 3rd parties that we work with, plus this would mean no employee would ever have to touch a credit card number (unless it's a reception or phone booking).
- Finally, coming back to the price, if you tie yourself into a product it costs a fortune to leave. Set-up costs, training, integration and you never own the software as it's all cloud based.
Anyway.....we're well into development already so it's all good....
I also put a bespoke system into a log cabin business including a web front end, which includes owners as well as their own cabins, so similar to timeshare for £6k. This includes external PCI links.
I'm looking into PCI DSS compliance. I just had a chat with a colleague of mine who handles PCI (I work in online gambling so PCI compliance is incredibly strict in my business).
He recommended I look at Stripe or Braintree. Both of which are interesting. It is PCI compliant and allows manual credit card data entry which is what we need. The only pitfall is the cost. Our bank charges less than 0.5% per transaction which is a great deal. Especially so when you compare to most PCI providers which charge 2.9% + 30 cents per transaction. That's almost 6 times the cost, and once again; This is a small family business with no expansion plans so costs like this hurt quite badly. Braintree is however cheaper at 1.9% + €0.30 per transaction, but that's still 4 times higher!
At the end of the day, we have a lot to investigate but if anyone can offer any payment provider services that would allow us to handle card data, please let me know.
He recommended I look at Stripe or Braintree. Both of which are interesting. It is PCI compliant and allows manual credit card data entry which is what we need. The only pitfall is the cost. Our bank charges less than 0.5% per transaction which is a great deal. Especially so when you compare to most PCI providers which charge 2.9% + 30 cents per transaction. That's almost 6 times the cost, and once again; This is a small family business with no expansion plans so costs like this hurt quite badly. Braintree is however cheaper at 1.9% + €0.30 per transaction, but that's still 4 times higher!
At the end of the day, we have a lot to investigate but if anyone can offer any payment provider services that would allow us to handle card data, please let me know.
TooMany2cvs said:
beanbag said:
I appreciate what many of you are saying but we've looking into 3rd party solutions.
Just the card stuff. Seriously.But I will resolve it. After all, my wife is the administrator so she is the one that will be liable if things were to go tits-up and I would rather that didn't happen....
ging84 said:
I'm highly sceptical that a 90s hotel booking system was encrypting it's data at rest, if it really is the issue then it's fairly easy to over come, Unfortunately i suspect the issue is much more fundamental than that, and the data is simply obscure and it does not matter if it's encrypted or not because you have nothing to interpret it with.
Personally i would completely forget about most of the historic data, you might be required to keep it by law, but it does not have to all be on the same system.
The main thing you'll need to extract is your future bookings, and your customer contact information.
I suspect if you only took that and ran the 2 systems in parallel for a while, within a few weeks you'd rarely have need to access the old system, and can then just leave it hosting the old data.
When the old system is no longer in use you can then poke about with it as much as you want without causing any disruption to try and see if you can get it all out, or try agree to a reduced licensing fee with the supplier now it's only used to auditing purposes, or failing that, get anything useful out, bundle the whole system up put it onto a VM which is inactive most of the time and do some messing around with the clock to ensure it never finds out it's license has expired when you do need to look at it.
This is sound advice, in the OP's position it's exactly what I would do.Personally i would completely forget about most of the historic data, you might be required to keep it by law, but it does not have to all be on the same system.
The main thing you'll need to extract is your future bookings, and your customer contact information.
I suspect if you only took that and ran the 2 systems in parallel for a while, within a few weeks you'd rarely have need to access the old system, and can then just leave it hosting the old data.
When the old system is no longer in use you can then poke about with it as much as you want without causing any disruption to try and see if you can get it all out, or try agree to a reduced licensing fee with the supplier now it's only used to auditing purposes, or failing that, get anything useful out, bundle the whole system up put it onto a VM which is inactive most of the time and do some messing around with the clock to ensure it never finds out it's license has expired when you do need to look at it.
beanbag said:
I'm looking into PCI DSS compliance. I just had a chat with a colleague of mine who handles PCI (I work in online gambling so PCI compliance is incredibly strict in my business).
He recommended I look at Stripe or Braintree. Both of which are interesting. It is PCI compliant and allows manual credit card data entry which is what we need. The only pitfall is the cost. Our bank charges less than 0.5% per transaction which is a great deal. Especially so when you compare to most PCI providers which charge 2.9% + 30 cents per transaction. That's almost 6 times the cost, and once again; This is a small family business with no expansion plans so costs like this hurt quite badly. Braintree is however cheaper at 1.9% + €0.30 per transaction, but that's still 4 times higher!
At the end of the day, we have a lot to investigate but if anyone can offer any payment provider services that would allow us to handle card data, please let me know.
Think of it as an insurance policy against card fraud. Getting those card details out of your hands as much as possible is a really good idea.He recommended I look at Stripe or Braintree. Both of which are interesting. It is PCI compliant and allows manual credit card data entry which is what we need. The only pitfall is the cost. Our bank charges less than 0.5% per transaction which is a great deal. Especially so when you compare to most PCI providers which charge 2.9% + 30 cents per transaction. That's almost 6 times the cost, and once again; This is a small family business with no expansion plans so costs like this hurt quite badly. Braintree is however cheaper at 1.9% + €0.30 per transaction, but that's still 4 times higher!
At the end of the day, we have a lot to investigate but if anyone can offer any payment provider services that would allow us to handle card data, please let me know.
not being to harsh I hope but the fact that x software is 3x your existing software budget or getting it done with a 3rd party provider which can deal with 100 units and you have 44 and thus not cost effective is shurly the wrong way to look at it.
Perhaps your budgets were unrealistic to start with and you have had a jolt into the current market rents?
As others have said that getting a proven software setup can be 'worth' more then just how much it costs you as you have peace of mind, reliability and backup.
We made a jump to a different system for houses and yes was more expensive but blimey its so much easier for compliance and use. Its vital to the business and would not go back to a made to measure software because its cheaper as inevitable its not supported and doenst do the job. Also if/when you come to sell the business other buyers will look for a recognised software they know.
Perhaps your budgets were unrealistic to start with and you have had a jolt into the current market rents?
As others have said that getting a proven software setup can be 'worth' more then just how much it costs you as you have peace of mind, reliability and backup.
We made a jump to a different system for houses and yes was more expensive but blimey its so much easier for compliance and use. Its vital to the business and would not go back to a made to measure software because its cheaper as inevitable its not supported and doenst do the job. Also if/when you come to sell the business other buyers will look for a recognised software they know.
beanbag said:
I'm looking into PCI DSS compliance. I just had a chat with a colleague of mine who handles PCI (I work in online gambling so PCI compliance is incredibly strict in my business).
He recommended I look at Stripe or Braintree. Both of which are interesting. It is PCI compliant and allows manual credit card data entry which is what we need. The only pitfall is the cost. Our bank charges less than 0.5% per transaction which is a great deal. Especially so when you compare to most PCI providers which charge 2.9% + 30 cents per transaction. That's almost 6 times the cost, and once again; This is a small family business with no expansion plans so costs like this hurt quite badly. Braintree is however cheaper at 1.9% + €0.30 per transaction, but that's still 4 times higher!
It'll be a lot cheaper than the Visa/Mastercard non-compliance fines should that card or customer data get exposed.He recommended I look at Stripe or Braintree. Both of which are interesting. It is PCI compliant and allows manual credit card data entry which is what we need. The only pitfall is the cost. Our bank charges less than 0.5% per transaction which is a great deal. Especially so when you compare to most PCI providers which charge 2.9% + 30 cents per transaction. That's almost 6 times the cost, and once again; This is a small family business with no expansion plans so costs like this hurt quite badly. Braintree is however cheaper at 1.9% + €0.30 per transaction, but that's still 4 times higher!
superlightr said:
not being to harsh I hope but the fact that x software is 3x your existing software budget or getting it done with a 3rd party provider which can deal with 100 units and you have 44 and thus not cost effective is shurly the wrong way to look at it.
Perhaps your budgets were unrealistic to start with and you have had a jolt into the current market rents?
As others have said that getting a proven software setup can be 'worth' more then just how much it costs you as you have peace of mind, reliability and backup.
We made a jump to a different system for houses and yes was more expensive but blimey its so much easier for compliance and use. Its vital to the business and would not go back to a made to measure software because its cheaper as inevitable its not supported and doenst do the job. Also if/when you come to sell the business other buyers will look for a recognised software they know.
The principle of what you are saying is correct, but there is a finite budget. The investment made this year has been in excess of four times the usual IT budget due to hardware and software upgrades, plus the need to create a PMS to suit our needs.Perhaps your budgets were unrealistic to start with and you have had a jolt into the current market rents?
As others have said that getting a proven software setup can be 'worth' more then just how much it costs you as you have peace of mind, reliability and backup.
We made a jump to a different system for houses and yes was more expensive but blimey its so much easier for compliance and use. Its vital to the business and would not go back to a made to measure software because its cheaper as inevitable its not supported and doenst do the job. Also if/when you come to sell the business other buyers will look for a recognised software they know.
The current software works but very badly, crashing frequently and reducing productivity and more seriously, with a loss of bookings as customers aren't willing to wait while the system restarts. It's basic conversion science.
So, we need a solution that works well before Easter, 2017. It has to fall into the budget that I currently have and within the existing IT budget. I negotiate contracts on a regular basis and perhaps it's because I represent a well-known company, that suppliers are willing to bend over to get our custom, I don't have that advantage as a small family company.
None of the suppliers that I have contacted are willing to negotiate their prices to suit our unit tally which is in my opinion, unacceptable. We simply don't make the profit necessary to support such costs so I am limited with regards to what I can choose. You end up losing your business if it can no longer make a reasonable profit no matter how good a software package may be. This is basic business science.
Short of the long; We need a solution that is both PCI compliant or within the legal bounds, and a PMS that support this system and manages the business efficiently. At least from my side we now have all the customer data and I've even managed to normalise it to a pretty reasonable 3NF standard. (Top marks to me for looking back at my old uni material)
I have a developer that can deliver what we need within our timeframe and more importantly within our budget. It might initially be a little rough around the edges but it'll be a lot more reliable and safer than the current system being used.
beanbag said:
I have a developer that says he can deliver what we need within our timeframe and more importantly within our budget. It might initially be a little rough around the edges but it'll be a lot more reliable and safer than the current system being used.
There fixed that for you.Seriously though, this is a critical part of your business, in my view you should look at your pricing and try and squeeze enough for a tried and proven off the shelf system.
Do you actually host card transactions? If so, the cost of compliance is significant and not something I would leave to an unknown in the business.
Have you thought about alternative payment methods such as, dare I say it, PayPal?
I appreciate many of you are suggesting an off-the-shelf solution, however the reality is we need a timeshare compatible solution (which instantly adds huge costs on top of a typical PMS), and they tend to cater only for resorts of 100+.
The business my wife operates is significantly smaller than this. Back in its heyday, they had over 100 units but over time have sold them off so it really is a small resort.
Short of the long. The business simply cannot afford a solution that charges €440 per month. The ultimate aim is to one day get rid of all the timeshare owners but they are entitled to keep their properties as long as they want so until that happens, we legally bound to manage that side of the business. I just hope that moment comes sooner rather than later!
The business my wife operates is significantly smaller than this. Back in its heyday, they had over 100 units but over time have sold them off so it really is a small resort.
Short of the long. The business simply cannot afford a solution that charges €440 per month. The ultimate aim is to one day get rid of all the timeshare owners but they are entitled to keep their properties as long as they want so until that happens, we legally bound to manage that side of the business. I just hope that moment comes sooner rather than later!
beanbag said:
I appreciate many of you are suggesting an off-the-shelf solution, however the reality is we need a timeshare compatible solution (which instantly adds huge costs on top of a typical PMS), and they tend to cater only for resorts of 100+.
The business my wife operates is significantly smaller than this. Back in its heyday, they had over 100 units but over time have sold them off so it really is a small resort.
Short of the long. The business simply cannot afford a solution that charges €440 per month. The ultimate aim is to one day get rid of all the timeshare owners but they are entitled to keep their properties as long as they want so until that happens, we legally bound to manage that side of the business. I just hope that moment comes sooner rather than later!
44 units, 440 Euros/month? That is only 10 Euros per unit per month! That is very small indeed to my mind. I really do suggest you take another look at it. It really is not worth risking a security issue when dealing with cards. Just my 10 cents worth (or 1% if you look at it another way The business my wife operates is significantly smaller than this. Back in its heyday, they had over 100 units but over time have sold them off so it really is a small resort.
Short of the long. The business simply cannot afford a solution that charges €440 per month. The ultimate aim is to one day get rid of all the timeshare owners but they are entitled to keep their properties as long as they want so until that happens, we legally bound to manage that side of the business. I just hope that moment comes sooner rather than later!
)KevinCamaroSS said:
beanbag said:
I appreciate many of you are suggesting an off-the-shelf solution, however the reality is we need a timeshare compatible solution (which instantly adds huge costs on top of a typical PMS), and they tend to cater only for resorts of 100+.
The business my wife operates is significantly smaller than this. Back in its heyday, they had over 100 units but over time have sold them off so it really is a small resort.
Short of the long. The business simply cannot afford a solution that charges €440 per month. The ultimate aim is to one day get rid of all the timeshare owners but they are entitled to keep their properties as long as they want so until that happens, we legally bound to manage that side of the business. I just hope that moment comes sooner rather than later!
44 units, 440 Euros/month? That is only 10 Euros per unit per month! That is very small indeed to my mind. I really do suggest you take another look at it. It really is not worth risking a security issue when dealing with cards. Just my 10 cents worth (or 1% if you look at it another way The business my wife operates is significantly smaller than this. Back in its heyday, they had over 100 units but over time have sold them off so it really is a small resort.
Short of the long. The business simply cannot afford a solution that charges €440 per month. The ultimate aim is to one day get rid of all the timeshare owners but they are entitled to keep their properties as long as they want so until that happens, we legally bound to manage that side of the business. I just hope that moment comes sooner rather than later!
)Every penny saved makes a huge difference....
beanbag said:
€10 per unit + cleaning costs + repair bills + taxes + community fees + staff costs + office costs + electricity + water + internet costs + low season costs, etc, etc......
Every penny saved makes a huge difference....
Can you not just add it to the price and blame the EU? (new regulations for data privacy, your details are secure, etc)Every penny saved makes a huge difference....
beanbag said:
KevinCamaroSS said:
beanbag said:
I appreciate many of you are suggesting an off-the-shelf solution, however the reality is we need a timeshare compatible solution (which instantly adds huge costs on top of a typical PMS), and they tend to cater only for resorts of 100+.
The business my wife operates is significantly smaller than this. Back in its heyday, they had over 100 units but over time have sold them off so it really is a small resort.
Short of the long. The business simply cannot afford a solution that charges €440 per month. The ultimate aim is to one day get rid of all the timeshare owners but they are entitled to keep their properties as long as they want so until that happens, we legally bound to manage that side of the business. I just hope that moment comes sooner rather than later!
44 units, 440 Euros/month? That is only 10 Euros per unit per month! That is very small indeed to my mind. I really do suggest you take another look at it. It really is not worth risking a security issue when dealing with cards. Just my 10 cents worth (or 1% if you look at it another way The business my wife operates is significantly smaller than this. Back in its heyday, they had over 100 units but over time have sold them off so it really is a small resort.
Short of the long. The business simply cannot afford a solution that charges €440 per month. The ultimate aim is to one day get rid of all the timeshare owners but they are entitled to keep their properties as long as they want so until that happens, we legally bound to manage that side of the business. I just hope that moment comes sooner rather than later!
)Every penny saved makes a huge difference....
Is the margin REALLY that thin?
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff