Dear Select Registry members,

Recently, SR sent a membership email stating: “We are aware that RezOvation and Webervations are not going to make the necessary upgrades to interface with SynXis,” the new CRS providing reservation capabilities for the Select Registry website.  
We’re writing to set the record straight: we never said that we were unwilling to provide this link. 

We plan to discuss this some more with Select Registry Executive Director Mike Palmer to learn why Select Registry told their members this innacurate information. Mike seems to have the impression that this would be an “easy few week project” for us and that we could drop everything to start working on it. In fact, based on the links we’ve already built to Expedia and hotels.com, and the one that we’ll shortly be completing with Travelocity, we know that it takes many months of skilled developers’ time to build, test, and launch a live direct connection. But first we need to evaluate this project and then allow a reasonable amount of time to make it happen.

We’d love to hear from you, the ultimate customers of this product. We’ve heard from a number of users who are not sure that they even want to connect via a two-way interface given the SynXis costs. The manual option SynXis provides is much more cost-effective; given that the monthly fees SynXis would charge our customers to use a two-way connection to Webervations or RezOvation are $100, in addition to the $50/month for manual plus transaction fees. Considering that Webervations only had a small annual fee of less than $100, we wonder how many people actually want to move to a product that is going to cost $1,800/yr minimum, with $350 up-front, $50/year IATA fees, transactions fees up to $12, plus travel agent commissions of 10% or merchant commissions more than double that? 

All this to say, if Select Registry member innkeepers don't want to pay for that connection, it doesn’t make any sense for us to build it. Ironically, we at RezOvation and Webervations only recently were made aware of the Select Registry decision to use SynXis. We learned about it from an innkeeper (not from Select Registry) less than two months ago. It wasn’t until the last Friday in September that we actually got a look at the connectivity specification. Typically when there is a connectivity project of this size at hand, a company like us that has so many customers using the current system would be given significant advanced notice to scope the project, schedule development time, talk to customers about their issues and concerns, etc.

As you are all aware, Webervations had been the provider of the Select Registry booking engine for quite some time, allowing folks to use any one of 18 different PMS products to connect to SR, all at very low Webervations prices. Supporting a shift of this magnitude to a hotel-style SynXis system is not something that we can make happen overnight. Interestingly, at the Select Registry conference in Williamsburg last winter, we were surprised to learn for the very first time that Select Registry was even looking for a central reservation platform; we  had not been made aware of it ahead of time at all. We were therefore unable to help assist the needs/specs and/or discuss how we could provide a painless and easy inexpensive solutionion, even though we power the majority of SR member’s website booking engines and availability calendars.

In our discussions with the interim Excutive Director in October, we explained that we didn’t know what we were going to do and that we needed time to figure out what this meant. What was it going to cost? What type of connection was it? Was it going to require all of our GDS customers to switch chain codes? Was it going to require everyone from Webervations to switch to using a full PMS? How long would it take to implement? Who at our company could be free to work on it? What other projects would get pushed back/delayed? The list goes on and on.  Select Registry did not have any details, so we reached out to SynXis directly. 

Here are some of the complications we are dealing with that make this not a "few week project" as Mike seems to think it should be:

1. Our internal team that handles connectivity is still working on the Travelocity connection we announced last spring. We have to complete this project before we can start on another.
2. Connecting to Synxis is not a quick project. It is a full-blown GDS connection; very few companies in our space have this. It’s similar to the Travelocity connection that has taken us six months so far.
3. Webervations itself was never built to support a GDS connection like this. There are numerous changes that would need to be made to the system in order to accommodate something like this, which means we would have to spend a large amount of time changing Webervations before it could even work correctly or launch a connection.
4. Many Webervations customers use any one of 18 PMS connections to get to Webervations. We are not sure if our customers would even use Webervations to connect rather than the PMS they are using.
5. It seems highly unlikely that properties who have been using Webervations as their own availability calendar would want to pay for this link. To my knowledge, we haven’t heard from anyone using Webervations that wants to pay for this connectivity. We have heard from a few RezOvation customers.
6. RezOvation does support connections like this, but any current GDS or Travelocity customer would have to switch GDS providers to Synxis and would not be able to participate in our Travelocity program through our chain code. Virtually all current GDS customers have paid for and have minimums under their current GDS contracts. They would either be double-charged, or would need to wait for up to a year before they switch.
7. This GDS connection is quite a bit more costly than our RezOvation GDS connection, so existing customers would see somewhere around $1,000 more in fixed fees/year than our current GDS connection.
8. Our entire company is taking a voluntary 3rd party Level 1 PCI Audit right now – we announced this in September. Before we could begin any work on connecting to a new CRS system, we need to complete the work on that audit, which is being handled the same team of expert developers.
9. No PMS that is not PA-DSS certified can take on new credit card processing customers right now, and by the middle of next year, support any credit card customers. RezOvation GT has already passed the 3rd party audit and is listed on the PCI site as compliant.  Webervations is going through that audit now. This is a more critical project to comply with credit card rules than anything else going on. I would caution any customer who is looking at switching to another PMS on this list, as many of the companies are not PA-DSS compliant at this point and are not allowed to take on any new customer for credit card processing until they are.
10. In addition to the all of that, we have a number of other projects that were months into development. Those include the enhanced credit card processing gateway for Webervations, new group management tools in RezOvation GT, an iPhone app for RezOvation, etc.

So our answer to Select Registry on whether we could connect was that we were not sure, and that we would need some time to figure this out. We told them that we would have some cycles to look into this more thoroughly in January as we would have breathing room to look into this with the amount of attention that it deserved. It seems like that would be a reasonable amount of time to scope out a project like this, particularly given no timelines were even conveyed to us from Select Registry as to when the new system was going to launch, or even how long we should continue to maintain the current SR/Webervations booking engine, being that we are the current provider, or the fact that we were notified of the choice weeks after the choice had been made. We ultimately want to hear from you - our customers - on this issue.  Some questions to consider:

• Do you want to connect to this new SynXis system? We’ve heard from some innkeepers that they get very few if any bookings from the SR website. Do you want all the expense of a GDS product? If the volume is going to be low, it would seem to make sense to stick to your current PMS provider, load a room or two manually into SynXis, and avoid the $1,200 surcharge to use a two-way connection. That way you only have the $350 up-front, $50/year IATA fee, and $600/yr minimum, not the $1800/yr minimum.
• If you are a current GDS customer with someone else, do you want to switch your provider and chain-code, and if so, when is your current contract up/what timeline are you looking at?
• If you are a Webervations customer, do you expect to use Webervations to connect to this system, or do you want to use your PMS for a direct connection to this system? If Webervations, does that mean you are using Webervations as your only system, or is it that your PMS company will not be connecting themselves?
• If you are planning on switching to a PMS provider on this list, do you understand that many of them do not connect to Webervations, and all of the sites that it powers?
• Do you understand that this connection does not automatically put a property into the merchant programs of sites like Expedia or Travelocity?

The issue we face is complex and your feedback would be greatly appreciated. We certainly want to connect to as many distributors as possible on behalf of our customers, and we’d love to be a part of this product. The truth is that we sent multiple different partnership proposals to Select Registry over the past 3-4 years only to have none of them come to fruition. Until we can move forward on something like this, we need to have some time to plan it and figure out what kind of customer demand even exists. Please let us know your thoughts so we can come up with a workable solution on this.

Sincerely,

Eric Goldreyer
BedandBreakfast.com / RezOvation / Webervations

We’ve gotten a ton of inquiries after the Reuters article about booking a B&B and getting a computer virus. We’ve contacted them, and so have a lot of innkeepers, to express our distaste on them singling out the B&B industry when it really is applicable to many many small businesses.  

Unfortunately, I don't feel the old phrase “there’s no such thing as bad publicity” applies here. But if nothing else, this is yet another wakeup call on credit card security. It seems a lot of innkeepers are feeling blindsided by all the credit card security talk out there. PCI security has been around for a number of years now, but it has never been easy to figure out – whether you are an innkeeper or even a company like BedandBreakfast.com. We started doing daily McAfee scans almost three years ago, back when they were called HackerSafe, but the landscape has changed a lot since then. We are by no means experts on it, but we feel we have a decent understanding. For those who wish to really get the details and make sure they are hearing this directly from the experts, you should read a publication put together in part by the AHLA – this is the most thorough guide we’ve seen yet and truly a great example of how lodging is leading the charge. Hats off to the authors for their painstaking effort on this – it is a very well-written document. 

I’ll try to explain how I understand this, hopefully getting it correct...

Right now, every provider of PMS software or services, from what we can tell, is considered to be a Level 2 "Service Provider", and/or a "Payment Application". You are a Service Provider if you grab or store credit card data in any way, and you are a Payment Application if you transmit that data electronically in any way for the actual authorizing or payment from a credit card. 

So from looking at the Spring 2009 issue of PAII’s Innkeeping Quarterly: 2009 Technology Guide for Innkeepers, companies like: Availability Online, NetBookings, and TCS would fall under only the PCI Level 2 Service Provider standards since none of them provide any integrated credit card payment gateway (according to the guide). Most everyone else - RezOvation, Webervations, Booking Center, Resnexus, SuperINN, RezStream, etc. - would fall under both the Payment Card Industry Data Security Standard (PCI DSS) AND the Payment Application Data Security Standard (PA-DSS) since they also transmit the credit card data.

The good news is that PA-DSS is crystal clear. You must have a 3rd party external audit to be compliant. As of last October, no company without a PA-DSS certification was supposed to take on any new customers that use credit cards in any way. As of July 2010, no customer, period, can use an application like these without having passed a third-party audit. Currently RezOvation GT is the only product that we are aware of that has successfully passed a full level one PA-DSS audit - although I’m sure other companies are in the process since it is an absolutely firm requirement. Companies that pass will be listed on the PCI website, which is updated roughly every month. If a company is not shown there, then they are not certified or were just recently certified. By July of 2010, all processors will be prohibited from working with merchants unless they show up on the list. 

The PCI DSS for "Service Providers" also has to be met – but this one is a little fuzzier. Since basically all vendors selling software products & services in the B&B industry are categorized as a Level 2 Service Provider (fewer than 300,000 transactions/yr), it means that basically everyone can do a self-assessment and claim they are PCI certified. A Level 1 provider (greater than 300,000 transaction/yr) must have an external audit. You can imagine how reliable a self-assessment is - and it can be private so you would never know what it says - just that the company says they passed it. So unfortunately there really is no way to know if a company is compliant or not unless they go through an external audit. The scans from companies like McAfee are not enough. And it may not even matter – because banks are already starting to ONLY allow credit card information to be collected/saved/transmitted by companies that go through a Level 1 external audit. So pretty much everyone is going to have to do what is necessary of the big sites - a full external security audit. We were actually already informed by People's Bank that they are going to start enforcing this - now. 

What does this mean? Well for starters - there are no level 1 PCI compliant products in the market that we know of - not us, not SuperINN, Resnexus, Availability Online, no one. The only product we know to have undergone an external audit is RezOvation GT - and that just recently passed. This is good news for innkeepers though – as it is going to provide an enormous incentive for everyone to be externally audited – allowing innkeepers to rest more easily. We have already begun the process of going through an external audit for the other pieces of our business, and we’ve already started making changes to Webervations to comply. We’ve generally kept RezOvation and BedandBreakfast.com up to par with Level 1 standards, but will be making any and all necessary changes that the auditors find as well. We expect that other companies will start going through this too at some point as they really have no choice. For the industry as a whole – this will be great news. Hopefully the next article we see in Reuters will talk about how the B&B industry and providers like RezOvation and Webervations led the charge to put industrial-grade security practices in place for small merchants!

My advice to innkeepers...  Unfortunately we are aware of some widely used products in our industry that say they are compliant but are not. For instance - one company posts its own self-audit online - and the audit shows they failed in a number of areas. So anyone using this system knows they are using a non-PCI-DSS/non-PA-DSS compliant product, that hasn't passed a self-audit. Another stores full credit card and CVV data, which is  expressly against the PCI compliance rules. Another doesn't encrypt anything at all and stores all the info including CVV right on your desktop in an Access 2.0 database from the 1990s. A lot of companies think the quarterly HackerSafe seal is enough to be compliant. That is not correct. If you are innkeeper using a system that you know stores things like CVV or that failed a PCI audit - then you could be held liable in the event of a security breach. The unfortunate part is that PCI insurance is null and void if you are using non-compliant software.

I would highly recommend that when you are looking for a software platform or booking engine/availability calendar, find a provider that has passed an external PCI/PA-DSS audit so you don't wake up one day and hear that the bank is no longer going to allow you to process credit cards, or worse - that you are liable for a security breach because you used software that was not compliant.

We'll try to keep you guys up-to-speed on things relating to this as they develop. 

Respectfully,
Eric