Have you received a call from your bank to ask if your hotel meets the PCI-DSS security standard? If so, you’ll already know what this is about, although maybe not so much on how to do it. If you haven’t received the call, you will receive it shortly. This article will be of interest to you in order to know what it’s about and how to anticipate it.
What is PCI-DSS? Does it affect my hotel?
It’s a security standard that affects the environments that works with or stores credit cards, something which directly affects every hotel.
It’s nothing more than a “good-practice manual” that all involved companies must adhere to. PCI-DSS means Payment Card Industry Data Security Standard and it was created by a credit card consortium that includes Visa, MasterCard and American Express among others.
What is the purpose of PCI?
Avoiding or minimising the many existing credit card frauds, something which has increased greatly with the arrival of the Internet and e-commerce.
Is it mandatory to be PCI-certified?
There is no law that enforces its compliance. However, it’s an essential requirement for entities who issue credit cards and the banks themselves, who may reduce their services or break contractual relationships in the event of not having a PCI certificate. The most usual threat from banks at this point is to withdraw the physical TPV service (dataphones).
Is that why banks are pressuring me about the PCI certificate?
It’s a domino effect. In the event of credit card fraud, issuing companies like Visa look to the banks, who then look to the business (hotel), and those look to their providers (PMS companies, channel managers, search engines, etc.).
Up until now, the bank required the hotel for all of its providers to comply with the PCI regulation and the hotel is right to demand that from them (Mirai has the PCI-DSS certificate). However, the requirement will broaden in a short space of time and it will force your hotel to also comply with the regulation. Are you ready?
How will the PCI compliance affect me? Will it change my everyday activities?
PCI will force you to carry out a deep technological change but also a change in your philosophy. There are many requirements that you will consequently have to revise and adapt to your operation. We won’t go into details because that’s not the point of the post although we will provide you with some simple examples that are good illustrations of the significance and philosophy of PCI.
- Unique users. Every receptionist or member of hotel staff who has access to or works with credit cards must have a unique user ID with the purpose of monitoring access individually in the event of an incident with a specific card. This will imply having many nominal accounts in the computers, the PMS and the Booking.com or Mirai extranet, something which will considerably complicate reception operations, for example.
- Booking confirmation faxes with the client’s credit card number. Maintaining this confirmation method becomes complicated to the point where it’s unfeasible. Having the fax machine in reception within everyone’s reach will happen no more. You will have to move the fax machine to an area with restricted access, with security cameras and a register of everyone who enters and leaves the area. The automatic import of bookings in your PMS will be your greatest ally to solve this problem.
- CVV2. Storing this data shall be strictly forbidden (requirement 3.2 of the regulation). If you cannot store it and you are not going to use it in real time, why ask for it? Also, you don’t need it for transactions with the physical TPV and it doesn’t help you with refunds. It’s best not to ask your clients for it when they make bookings (except for rates with the virtual TPV where the bank will request it to execute the charge) and this way get rid of the problem.
- If you have the PMS at the hotel and use it to store the credit card data, get ready for a big change. You will have to adapt your whole network architecture to comply with the regulation: separate the server in a different network with physical access control, security cameras and entrance and exit register. You will also have to add a firewall that controls and registers all access also in a third environment that is separate from the two first ones. A huge fuss. It’s best to find support in your PMS manufacturer to find the best solution. There is no doubt that cloud versions are recommended in these cases because, this way, you don’t store any credit card in your hotel.
- Training, documents and procedures. Get ready for an avalanche of documents that you will have to do (it’s recommended to find support in an external consulting company) and that you then have to follow. It will change your working ways in everything related to credit card use and handling. You will need an internal team that is responsible for the compliance of the regulation. Each new employee with access to credit cards will require training.
All of this makes us reach a scenario where every charge or guarantee method made by the hotel is made via centralised payment methods that are external to the hotel (companies like Google, Apple or PayPal are already advanced in this field), removing the risk of a security breach in the hotel itself.
What do I have to do to obtain the PCI certificate and how much does it cost?
The theory is long and tedious, so we won’t talk about it here. We will just say that there are 12 points that go from system architecture (firewall separation, credit card encryption, etc.) to security procedures and necessary documents. You can find a quick guide (40 pages, no less) here. A costly work but a necessary one, I’m afraid.
The certificate is free. However, the time and and resources employed to obtain it will cost a lot. Our recommendation is that you hire one of the many PCI consulting and certifier companies (a huge business which has emerged due to this new regulation) and let them lead you (in many cases, it won’t be an option but rather an obligation).
It will incur an initial cost from 10,000€ to 60,000€ depending on the requirement level that you have (the more credit cards handled every year, the higher the required security level will be). Large hotel chains from around the world handle other costs, of course. From the initial certificate, you will have to re-certify yourself every year, with the cost being much lower because most of the work is already done.
The time frame will also vary, but it could fluctuate between 3 and 12 months, once again depending on the amount of credit cards that you handle.
Does having the PCI-DSS certificate guarantee being exempt from fraud?
Sadly, no. Complying with the PCI-DSS regulation improves your security systems and level, decreasing the chance to have an incident, but it does not guarantee that it won’t happen 100%. In fact, every year, many companies with the PCI certificate suffer from credit card breaches and theft.
Security and fraud control is an intangible of increasing importance and being up to date with the regulation and good practices will avoid many potential future problems. This is why it’s a good investment. It’s normal that, as business owner, you find it hard to provide resources for something that shows no financial gain in the short or mid term.
However, banks have started to put the pressure on and this now seems unstoppable. The domino pieces have started to fall and sooner or later (6 months? 1 year? 2 years? Nobody knows…) it will be the time for the medium-size hotel chains piece to fall (the large hotel chains piece has already fallen), followed by individual hotels. Knowing what is coming is the least you can do. Anticipating it would be perfect.
Google is becoming a relevant player in the online hotels sector, something which makes the big existing players like Booking.com or TripAdvisor uncomfortable.
However, Google’s strategy is different to the one of its competitors. It’s not becoming an OTA per se (such as Booking.com or, as it appears, TripAdvisor) and neither is it creating a metasearch engine such as Trivago or Kayak.
Google Hotel Ads (GHA) is a platform of inventory and prices distributed over the different Google products: its search engine, its maps and the new Google Destinations. Is there any doubt now that we will see these prices on Gmail or Google Now sooner rather than later? On the other hand, strangely enough, the product that Google created as a pure price-comparison tool, known as Google Hotel Finder, was shut down in September 2015. That wasn’t Google’s war.
By the way, GHA is the new name of what was previously known as Hotel Price Ads (HPA), a name that has now been removed from its vocabulary.
Using the search engine or the maps, the importance that Google is giving these prices in real time is evident, particularly on mobile devices where its prominence in proportion to the screen size is much higher. Google calls it micro-moments and it consists in giving users what they are looking for at the right time and naturally
Why participate in the Google Hotel Ads programme?
As a hotelier, it is key to be in GHA since you are occupying an essential display window such as Google and are directly competing with the OTAs in a field in which they have consolidated themselves in by diverting many sales to their pages. All of this takes us to our final objectives: reducing the cost of intermediation and gaining independence from it.
Remember that you are already participating in GHA through OTAs and you are financing their campaigns for them. In other words, OTAs do not invest a single cent in order to place your hotel in metasearch engines, you are paying for everything.
What models does Google offer to participate in GHA?
Within the GHA programme, Google offers the following three different forms of use:
- The traditional CPC (cost per click) model, where you pay an amount for each visit that goes to your website.
- A model that is a hybrid between CPC and CPA, which Google calls “ROAS target”, which is simply setting a “target commission” (for example, 10%) from which they optimise the CPC in order not to surpass the 10% commission when calculating the investment from the generated income.
- The new and pure CPA (cost per acquisition, aka commission in hotel talk) model, which Google calls Google Hotel Ads Commission Program (GHACP), which we wrote about a few weeks ago.
What are the differences between these three models?
|Payment method||Cost per click||Cost per click||Cost per acquisition (commission)|
|How much does it cost?||It depends on how aggressive you want to be. It works similarly to Adwords: you set a CPC maximum and Google chooses the winning option via an auction. The more bidders there are, the higher is the cost.||The % of commission that you want, taking into account that Google will calculate an equivalent CPC for the auction. If the % is low, your bids will not appear.||Whichever commission you want, always between 10% and 15%.|
|Does it take cancellations into account?||No. All clicks cost the same, regardless of whether they generate a booking or not.||No. The equivalent commission is set prior to the cancellations (be careful with being aggressive since cancellations are absorbed by you).||Yes. Since it’s a system based purely on commission, you only pay for the bookings you have charged for.|
|Which model offers more visibility for my hotel in the search results?||You can get the same visibility for your hotel regardless of the model you choose. The more you bid (in CPC or commission) and the better the offered price is, the more chances you will have of appearing in the top places.|
|Can I set an investment limit?||Yes, both daily and monthly (e.g. 800€/month)||Yes, albeit indirectly. By setting an equivalent commission you will ensure the profitability of the investment.||Being a commissionable model, why set an investment limit? The more sales, the better.|
|Can I hire this service directly from Google?||No, you need an integrated partner with theCPC model. You can find a list of them here||No, you need a partner integrated with the CPA model. Not all GHA-integrated partners support the CPA model. Ask your provider.|
|When do I have to pay?||When the click is made, before the client arrives. Therefore, you pay in advance, just like with Adwords.||Monthly, after the client’s stay.|
Which is the best model for your hotel?
Since you can receive the same income results with all three models, you must choose the options that incurs the lowest cost.
Conceptually, hotels with higher average price and higher average stay are candidates for the CPC model, since they will have an equivalent commission lower than 10%. Our recommendation is to start with this model.
For the remainder, the recommended option is the pure CPA model, since it minimises risk, minimises the budget management and optimisation and, on top of it all, it generates a positive cash flow (you pay when the client has paid). At Mirai, we are transferring almost all of our clients to this model.
Having a pure CPA system, we do not see any reason to hire the “CPC ROAS target” model.
What should your strategy be in Google Hotel Ads?
Participating in GHA is only the first step, but it’s not enough. To be there for the sake of it, in other words, participate without generating bookings, is not the objective. You have to have a strategy behind it, a strategy that allows you to generate a high number of bookings and save money from the commissions paid out to OTAs. At Mirai, we believe that the following strategy is the right one:
1. Choose the GHA model which offers you maximum profitability while maintaining an adequate number of bookings. If you have any doubts, CPA is the model for you.
2. Remove all intermediation from GHA. An essential objective for hotels and hotel chains but that is rarely seriously posed. What value does Booking.com give you in this search? If you can be there directly in metasearch engines, intermediation offers no value. Sadly, this is a difficult battle in today’s day and age due to the refusal from OTAs.
3. Remove the disparities from OTAs who are fishing for these prices via bed banks or another OTA by taking advantage of the many holes that hotel distribution has. Being present in GHA to see the result of the image below is pointless.
4. Maximise your visibility
Once you have done your initial homework, you must understand how GHA shows the results and how it sorts them. By default, it shows two entries in its results. The ranking is determined by two main factors: the bid (how much Google earns for having you up high) and the quality where price competitiveness and conversion come into play.
Booking.com brings the same strategy to GHA as it has on Adwords: occupying the first position at any cost. Fighting for the first position will be very expensive. Since you cannot remove Booking.com from GHA (because they will refuse and because, I fear, you are contractually obliged not to), play to occupy the second position like we explain below.
If you maintain a price-parity policy, it’s probable that, as well as Booking.com, any other OTA may improve your bid and your entry ends up buried in the “See more prices” link. This is not the correct strategy.
Your most profitable option, and the one that will generate more bookings for you, is the one that offers the best price on your website. This will all but guarantee second position, something which will maximise your entry’s visibility and will show the client the advantages of booking directly with you (which will also save costs). This is the strategy that all large hotel chains and advanced hotels are following, an unstoppable trend which many independent hotels and hotel chains are joining.
Google has slowly been entering the travel sector, especially the hotel one. It’s here to stay, whether we like it or not. On one hand, it’s another toll to pay but, on the other, it’s a great chance for hotels who wish to reduce the large dependency they have on OTAs. Finally, a powerful weapon with no risk.
However, remember that technology is just part of what you need. The key is in the knowledge and skills of being up to date and making the most of the opportunities that come along. GHA, undoubtedly, does much more good than bad, although it confirms once more that direct sales aren’t cheap -much to the delight of OTAs. However, they are still cheaper than intermediated sales, no matter what some OTAs say.
Many hotels do the right thing by offering better stock and price conditions to Booking.com, and of course to their own website, rather than to Expedia after seeing that they make more money that way, since the net price (after taking out the commissions) is almost always superior.
However, rarely are these same decisions made depending on cancellations and the costs that these generate per channel. It’s not easy to estimate or measure this cost since it doesn’t leave a direct trail (albeit an indirect one) on the average price or production of each channel, but we should not ignore it nevertheless.
We will analyse these costs as well as determine who is responsible for the fact that cancellations are shooting up: the hotel or the channel?
Do cancellations vary subject to the channel?
We have chosen 40 of our channels and analysed the cancellations (% on room nights) in the last four months (January-April 2016) of our three most important online channels: Booking.com, Expedia and the website itself. The results are as follow:
According to our analysis, the Booking.com cancellations are 104% more than the direct channel ones, while they are 31% up in the case of Expedia. The relation between Booking.com and Expedia is +56% in favour of the former.
It’s important to note that Expedia’s cancellation varies a lot subject to the model that hotels are using. The cancellation of the Package rate is very low, less than 3% (airline rates are mostly non-refundable); the Expedia Collect (Expedia charges the client) cancellation rate is around 12% and the Hotel Collect (pay directly at the hotel) cancellation rate is close to Booking.com levels at around 35%.
An example will help to better illustrate how distribution costs vary per channel if we take the opportunity cost into account had we not sold any of the rooms after the cancellations.
Let’s work with 100 room nights generated by each channel at a price of, let’s say, 150€. We then assign the resulting cancellation percentage from our analysis to each channel. We assume 85% recovery of these cancellations (an optimistic percentage), in other words, that the hotel manages to sell them through the same channel after the cancellation and that they can still maintain the sale price of 150€. After adding this opportunity cost, we see how the final commission of Booking.com would go up to 24.8% (increasing by 4 points), the Expedia one to 26% (increasing by 4 points) and lastly the website one (in which we assume 8%) which would go up to 11% (+3 points).
These numbers would vary in the different hotels. We invite you to make this calculation in your particular case and to start assigning cancellation costs to each channel in order to have a more complete picture of your distribution.
Why is Booking.com the channel with the most cancellations?
If the hotel applies the same cancellation restrictions to the three channels equally, why are the results so different? We believe that the reasons are as follow:
- Fraudulent bookings. The truth is that most of these bookings (like, for example, to obtain a visa to enter a country) go through Booking.com, since it’s the most popular and important OTA in the world. These are bookings that the hotel usually identifies as fraudulent and cancels on the spot, therefore with little impact.
- Payment method. Expedia generates many of its bookings in the Expedia Collect mode, where Expedia charges the client directly (not necessarily non-refundable). It has been psychologically proven that you pay in advance when you are sure that you will be going, and therefore have less of a chance of cancelling. Also, this payment method avoids any kind of fraudulent booking.
- Package rates. A high percentage of Expedia bookings (depends on the hotel) include a flight, which is usually a non-refundable rate. The cancellation of these bookings is, therefore, very low, thus considerably reducing Expedia’s cancellation average. It would seem fairer to compare Booking.com with Expedia in its mode of paying directly at the hotel, although unfortunately the data that hotels have is not always broken down in this way, thus making it very difficult to measure.
- OTAs work more on inspiration. The hotel doesn’t with its website. Mail marketing campaigns are commonplace to generate booking interest. Many clients end up doing so but, since it’s so casual, they book first and then see if they have time and money to actually go. In any case, cancellation is free. The inspiration phase is still far from the booking phase and therefore there is a higher probability that many bookings end up being cancelled.
- Culture of each channel. Booking.com is increasingly encouraging clients to book even if they’re not sure that they will travel. For that, it employs dozens of booking accelerators that pressure clients with a message such as “book now or you’ll lose the room”. Here is a message that it regularly sends to its clients:
This speculation suits Booking.com. Even if many rooms are cancelled, many won’t be. The hotel will most likely use Booking.com again to sell them, since it is the channel that best works with last-minute bookings.
Booking.com itself made a test some time ago where it notified the client when the hotel lowered its booking price (so that the client would cancel and make a new booking). This is an excellent service for the client but it was not received with open arms by the hotels, who themselves had an answer to it: make all rates non-refundable. In the end, Booking.com stopped this practice but it’s still active on www.tingo.com, www.triprebel.com and www.yapta.com
The traditional OTA discourse is that the final result is what matters and it ends up benefitting the hotel if it’s a positive one. Cancellations aren’t a problem. This statement is only partially true and supports itself on how hotels fail to calculate the impact of cancellations.
- The hotel-website client is different. Our experience tells us that this client is the most loyal client to the hotel and, therefore, speculates less. If he books at your hotel, he almost always goes (unless he has a setback).
The truth is that Booking.com knows that all of these cancellations are a problem for the hotel and they are working to reduce their impact. For that, they recently introduced two new tools to facilitate charging the bookings from their extranet and there seem to be movements to exempt the hotel of non-payments by clients, with Booking.com taking on that risk. The latter seems like a great move by Booking.com. We will await more details on the matter.
What to do to take into account the cancellations of each channel?
As we’ve seen, even if you apply the same distribution strategy and cancellation restrictions, each channel will have a different percentage and cancellation notice period. These cancellations are costing you money and you should look to assign them to each channel.
If we penalise Expedia for their large commission (closing sales or increasing prices), we should also do the same to other channels with a higher cancellation impact.
If Booking.com has the largest index of cancellations, you should consider applying a more restrictive cancellation policy in comparison with the rest of the channels, especially in comparison to your own website and particularly during high season. A holiday hotel, for example, would add a 21-day cancellation notice period for its hottest dates on Booking.com (or, directly, non-refundable) and would maintain 7 days on its website. An urban hotel, during dates of high demand, could do the same with 24 h. and 72 h.
The other tool the hotel has is the price. Increase the price on the channels with a higher cancellation rate. If you manage to monetize them in each channels (unsold rooms, average price reduction, staff costs, etc.), and bring it to a total cost, you should add it to the commission of each channel, which would give you a more complete picture of reality. The difference in cost between Booking.com and Expedia would be reduced and, on the other hand, would further increase between OTAs and your own website.
When we compare the costs per channel, we should broaden the analysis and have a global view. Direct commission is just one of the many costs that each channel has. Other ones that are also known, albeit rarely calculated properly, are the yearly/monthly fixed costs and the sales rebate. On the other hand, we rarely include the cancellation costs in this analysis.
If we were able to monetize it, we would realise that the channels that appear to be more profitable are not as profitable as we think. Once again, it continues to show that the direct channel is the most profitable one of them all and one that the hotel should strongly commit its long-term strategy to.