This article explains how credit and debit card payments are handled in Booking Rooster and how this affects PCI DSS scope considerations. It covers:
- Payment Architecture
- Supported Payment Providers
- PCI DSS Scope Overview
- Payment Flow Overview
- Links to related articles
Payment Architecture
Booking Rooster is architected so that Cardholder Data (CHD) does not enter the Booking Rooster platform.
When a customer makes a payment:
- The customer selects Credit/Debit Card at checkout.
- The customer is redirected to, or securely presented with, the payment provider’s Hosted Payment Page.
- Card details are entered directly into the provider’s PCI DSS validated environment.
- The provider processes the transaction.
- Booking Rooster receives only transaction outcome data (for example, approval status and transaction reference).
Booking Rooster does not:
- Store Primary Account Numbers (PAN)
- Store CVV/CVC codes
- Process Cardholder Data
- Transmit Cardholder Data
- Store Sensitive Authentication Data
Cardholder Data is handled entirely within the payment provider’s Cardholder Data Environment (CDE).
Supported Payment Providers
Booking Rooster integrates only with PCI DSS validated payment service providers, including:
- Windcave
- Worldline
- Stripe
- PayPal
- Braintree
Credit card processing cannot be enabled using a provider that does not maintain PCI DSS validation.
Each payment provider is responsible for securing Cardholder Data within its own certified environment.
PCI DSS Scope Overview
Because Booking Rooster does not store, process, or transmit Cardholder Data:
- Booking Rooster systems are not part of a Cardholder Data Environment (CDE).
- PCI DSS requirements relating to the protection of stored and transmitted Cardholder Data are fulfilled within the payment provider’s environment.
Merchant PCI DSS obligations are determined by the merchant’s acquiring bank.
When using a fully hosted payment page provided by a validated payment service provider, many merchants may align with an SAQ-A model. Final SAQ determination should be confirmed with your acquiring bank.
Payment Flow Overview
Customer Browser
↓
Booking Rooster
↓
PCI DSS Validated Payment Provider (Hosted Payment Page / CDE)
↓
Card Networks / Acquirer
↓
Payment Result Returned to Booking Rooster
Cardholder Data flows directly from the customer to the payment provider.
It does not pass through or get stored within Booking Rooster systems.
Related Articles
- Security Overview
- Authentication & Access Control
- Two-Factor Authentication (2FA) – Setup & Defaults
Comments
0 comments
Please sign in to leave a comment.