Expedia Group is committed to the secure handling and transfer of traveler payment card information. We fully comply with PCI standards and also require that connectivity providers who partner with us comply with industry standards before we share any payment card information with their systems. In this post, we answer a few common questions to help demystify PCI compliance, and help you understand how industry regulations may impact your connection to Expedia Group. For more information, please contact your Expedia Group account manager.
What is PCI compliance?
The Payment Card Industry Data Security Standard (PCI DSS) council was established in 2006 by five major credit card brands. The council established a set of 12 specific requirements to meet six different goals, including building and maintaining a secure network, implementing strong access control measures, and protecting cardholder data. All companies that accept credit card payment information must be PCI compliant and provide Expedia with an Attestation of Compliance (AOC)
What is an AOC?
The Attestation of Compliance (AOC) is defined by the council as:
A form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance.
In other words, the AOC is proof that you comply with industry standards. Expedia Group must have a copy of a current and valid AOC on file for every connectivity provider.
How frequent should I provide an AOC to Expedia Group?
Once a year. We undergo a yearly audit with all connectivity partners to ensure they continue to comply with industry standards.
What is TLS and is it different than PCI compliance?
Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between systems. To partner with Expedia Group, you must be TLS 1.2 or higher
What happens if I can’t confirm my compliance with industry standards?
If you are interested in working with Expedia Group, you must provide proof of compliance in order to partner with us.
Connectivity partners must meet the following security requirements to receive payment card information from Expedia Group:
Have a current and valid AOC on file with Expedia Group
TLS 1.2 or higher
Failure to meet either of these requirements will result in Expedia Group blocking all payment card information from being shared. This means that all reservations shared between Expedia Group and the connectivity partner will not include payment information.
The security of our customers and their data is a key priority for us and something we take seriously. Expedia Group is committed to working with each of our connectivity providers to ensure the systems we use to share information are safe and secure. If you have questions about your connection or about the type of information that Expedia Group is sharing, or not sharing, with your system – please contact your dedicated account manager.
We are excited to share the first phase of our new approach to connectivity, the Expedia Group connectivity hub. In the future, the connectivity hub will be your one-stop-shop for all things connecting your lodging partners. The start to this iterative approach is a new look and feel of the website and an enhanced documentation structure for our APIs-- but there's much more to come!
We’ve heard your feedback and appreciate your participation to help influence our product and feature roadmap. The ongoing enhancement plan for Expedia Group connectivity hub includes ways for us to better support your ability to integrate with us, as well as provide the best-in-class product offerings for your lodging partners.
Over the coming months, you will notice new features in the connectivity hub that are based on the things you ranked most important in our recent survey as well as direct feedback from our conversations with you. For example, coming very soon will be the number one requested tool—a GraphQL integration playground. With this self-service sandbox, you or your developers will be able to test GraphQL integrations up front and make any necessary edits in the testing environment before going live. And that’s just to start!
We hope you’re as excited as we are about both the new site and the things to come. Please take a look around and most importantly, stay tuned for more!
Questions or feedback?
We want to hear from you! Please feel free to reach out to your account manager!
Expedia Group is updating its Expedia Collect (EC) model to simplify how it operates and to remain relevant and current in local markets. Starting November 2, 2020 there will be updates to the EC booking notifications (and payment processes if relevant) that you’ll need to adopt for properties in Mexico.
What’s changing in Mexico
Starting November 2, lodging partners will receive either gross or net payments (net payment is business-as-usual today).
If gross, lodging partners may charge for the total booking amount, which includes taxes and hotel fees, and will pay back Expedia Group’s compensation and VAT on it.
If net, lodging partners may charge for the total booking amount, which includes taxes and hotel fees, minus Expedia Group’s compensation and VAT on it.
EC booking notifications will show the base rate, taxes on the base rate, hotel fees, and the total booking amount.
Booking Notification and Booking Retrieval APIs will now include additional data points to help manage and supplement the changes mentioned above.
If you work with properties in Mexico
In order to receive additional details about these reservations, you’ll need to make enhancements to your connection with Expedia Group.
If you do not work with properties in Mexico
There is no immediate action required, however, additional markets are being planned for early next year. You will be notified, but we strongly recommend these API enhancements be adopted ahead of time.
For more information:
Please refer to the “What is New” sections under the Booking Notification and Booking Retrieval/Confirmation (EQC) API specifications for details on the incremental enhancements being made. The FAQ & Guides sections have been updated as well.
If you have any additional questions or would like to get started on the adoption, please reach out to your Account Manager.
Frequently Asked Questions
(Last Updated: 2020-09-07)
Are these enhancements required for adoption by November 2, 2020?
What happens if I am unable to adopt the enhancements?
If you are unable to adopt the enhancements in markets where updates are required, the booking notifications will look like the sample message under section Expedia Collect – future, without enhancements adopted.
We are still required to pass along the base rate inclusive of compensation, along with taxes and hotel fees applied on the base rate to lodging suppliers in the booking notification. The payment amount will be added as a string under special request code=5 (the payment instruction). Additional details will always be available in Partner Central if needed.
Will this be rolled out for all countries, or only those with regulatory requirements?
Rollout will be on a market-by-market basis. The following markets are where changes are currently planned for early next year: UK, Norway, Russia, India, Middle East (Bahrain, Oman, Saudi, UAE), South Africa, New Zealand, Israel, Iceland*.
*Markets and exact launch dates may change if needed
Which message types will these additional fields be present in?
These additional fields will be present in new reservation requests and modification requests.
I provide connectivity services to lodging partners that have properties inside and outside impacted markets, how will this impact me?
At the moment, we will only be providing these new fields for properties in markets where this change is required, but your system should be set-up to accept reservations both with and without the enhancements. Details on what the notification will look like for these different scenarios are outlined in the specifications.
Is testing and certification required?
Yes, certification and testing are required for adoption. Please reach out to your Account Manager to get started.
What does the testing and certification process look like?
Testing will consist of new booking requests containing variations with the additional fields. For partners using Booking Notifications, testing will be available mid to late September, and for partners using Booking Retrieval/Confirmation, testing will be available in early October. Please reach out to your Account Manager for more information about beginning testing or certification.
I provide connectivity services to lodging partners in certain jurisdictions where similar changes related to Expedia Collect were made. What will happen for those properties?
We will not be updating or making any changes to those markets just yet. The text in special request code=5 will remain. However, once we roll out the enhancements in those markets, the new payment amount field will replace the special request text, and the additional fields will be passed along as well.
Expedia Group recently announced its commitment to help partners rebound from the impact of COVID-19 and fuel industry-wide recovery efforts.
Expedia Group’s recovery program is comprised of global initiatives to support industry recovery and property-level relief designed to help independent partners and small chains rebuild their business, attract high-value guests, and optimize cash flow.
You can view a summary of Expedia Group’s full recovery program here.
Specific to lodging partners, Expedia Group is committing $250 million in marketing credits and financial relief.
The marketing credits and financial relief measures will become available to lodging partners based on recovery signals, including demand trends, from their specific markets. This approach will provide our partners with the support they need when it will be most beneficial. There are minimum requirements that partners need to fulfill to participate in the program.
If you have questions about the Revive and Relief Program for lodging partners and how it is being implemented, please contact your Expedia Group Account Manager.
Additional resources to guide recovery strategies can be found in the Expedia Group COVID-19 resource center.
The ability to travel in the wake of COVID-19 is something we monitor constantly. And while we’re thrilled to see restrictions lifting in many parts of the world, our hearts go out to partners in countries still battling to control the pandemic. Once again, we’d like to update you on the adjustments we’ve made to our cancellation policies to reflect the current circumstances.
Bookings made on March 20,2020 and beyond will honor property cancellation policies
Reservations made after the risk of booking non-refundable and partially refundable rooms was widely known will not be subject to our COVID-19 force majeure policy. We will honor the property’s cancellation policies for both domestic and international reservations.
Moving away from a global policy for bookings made before March 20, 2020
Now that individual governments are relaxing controls and opening borders, we are evolving our policies to align with their decision-making.
If travel restrictions have been lifted, we will honor the property’s published cancellation policies.
However, if government requirements, flight cancellations or other COVID-19 restrictions remain in place, we will allow travelers to cancel existing bookings.
Previously, we gave properties the option to offer either vouchers or refunds for most non-refundable bookings cancelled under our policy. We are extending that decision (made by the property or their headquarters) to July and allowing them to change their selection in Partner Central.
Please continue to visit our COVID-19 force majeure pageto understand implications by market.
Helping with recovery strategies
As travelers return to booking holidays, they will have more choices than ever before. To help properties and ensure they are ready to attract travelers’ attention, we’ve created a COVID-19 Resource Center. It consolidates the latest insights on traveler behaviors, travel trends and industry data, as well as tips and best practices for bouncing back. Feel free to share this resource with our shared customers.
If you have questions, please contact your Expedia Group Account Manager.
It’s important that all connected systems meet standards and operate at top performance. A connection that performs well reduces a property’s risk of overbookings or relocations and helps avoid issues with the competitiveness of their rates and availability.
To help ensure that you understand the health of your Expedia QuickConnect (EQC) connections with Expedia Group and are aware of opportunities for improvement, we’re updating our EQC connectivity error report.
Based on feedback from our partners, we’ve made improvements to the report that enables you to:
• Understand what information is in the report and how to use it – including a dashboard view of your overall performance, a summary view that identifies the errors that are impacting your performance most and detailed views of errors and warnings for each API
• Use recommended solutions to troubleshoot and resolve issues quickly – additional information and technical documentation is also available at https://expediaconnectivity.com/developer.
As a reminder, to assist properties with finding the connectivity provider that best suits their needs, our Connectivity Provider Guide shares insights into your performance metrics; including Availability success and Booking success. You can view the guide at https://provider.expediapartnercentral.com/guide.
For more information or to subscribe to error reports, please contact us or your Expedia Group Account Manager directly.
Beginning in August 2019, travelers will be able to enter their name and special requests in local language at the time of booking. This update will give travelers an easier, friendlier booking experience. In turn, we project increased conversion potential for properties; which could lead to higher production.
This will apply to all domestic bookings made on Expedia.com andHotels.com in China, Hong Kong, Japan,Korea, and Taiwan.
For properties to benefit from this update, both the properties’ and your systems will need to supportUTF-8 encoding, which is an international encoding standard for different languages. If they don’t, don’t worry; you can opt-out of this feature by contacting your Expedia Group account manager or you can consider updating your integration to become UTF-8 compliant. Get more details and see sample messages in the online specifications for the Booking Notification API and Expedia QuickConnect Booking Retrieval & Confirmation API.
If a property contacts you to opt-out of this feature, please ask them to speak to their Expedia Group market manager.
Here at Expedia Group, we’re proud to have one the strongest brand families in the travel industry. After all, we’ve spent countless hours meticulously crafting each brand and its reputation. But to maintain our position in the industry, it’s important that our brands’ visual and written identities are consistent, whether they appear on our own site or in a connectivity partner’s brochure.
To help you use our brands correctly when displaying them alongside their own, we’ve developed a new set of brand guidelines.
About the guide
Our new guide outlines each of our brand’s look and feel, values, and personality to help you maintain their identity. Along with the guide, we’ve also created a toolkit of logo assets, so you’ll never have to use a low-resolution image again!
If you have any questions about the guide, please reach out to your account manager.