Ensure PCI Compliance, Own Your Data, and Seamlessly Manage Multiple Stakeholders

VGS as a Solution for Agents and Offering Platforms

Whether you are an OTA, Insurance platform, or any type of intermediary seller working with both an end user and an original provider, VGS can help.

Contact Us
Agents

Getting Paid When You Are an “Agent”

Agent platforms, which act as an intermediary seller or “agent” between the buyer and ultimate seller, are common in the OTA (Online Travel Agency) and insurance. An “agent” setup is prevalent across many other industries, including e-commerce and retail, restaurant and food delivery, and gig marketplaces.

Challenges as an Agency Platform

Agency setups on these offering platforms have unique payment challenges and customer needs.

Payment Process

Complex “Double-Loop” Payment Process

Every transaction happens twice: from the end customer to the provider platform and then from the platform to the hotel, airline, or insurance company, doubling the number of transactions and associated security needs and compliance requirements.

Multiple Stakeholder Management

Multiple Stakeholder Management

Instead of the standard two parties of buyer and seller, an agency set up multiplies the involved parties: The end user, OTA as the initial seller, and all the original sellers. If a user booked a trip on an OTA for a hotel, airline, and car, that's five stakeholders who need to send and receive payment information securely - plus additional ones in the payments infrastructure such as PSPs, processors, and third-party vendors for fraud monitoring, identify verification, and more.

Multiple Stakeholder Management

Stay Compliant with PCI Requirements

Any company that stores, transmits, processes, or can otherwise affect the security of credit or debit cardholder data is subject to PCI-DSS requirements. OTAs, insurance marketplaces, and other offering platforms that accept payments from end users on their websites or mobile apps fall squarely into this category. Non-compliance can result in fines ranging from $5,000 to $100,000 for each month of non-compliance.

Risk from Outdated Processes

Risk from Outdated Processes

Sharing the end user's payment information with the final service provider could involve manual data handling processes. For example, a platform's employee could fill out their customer's information on the insurance carrier's website, write card numbers on a piece of paper, fax or email a spreadsheet to the hotel, or share a Google sheet with the car rental company. Such processes present significant risks for both data security and user error.

Keeping up with New Payment Methods

Keeping up with New Payment Methods

OTAs, Insurance Marketplaces, and other offering platforms need to keep up with changing consumer payment preferences. Adding modern payment options like Buy Now, Pay Later (BNPL) are expected by consumers. However, these add more complexity for OTAs, as they need to reconcile partial payments and secure information from an additional payment method.

Proxy Server

Not Owning the Data

In many instances, OTAs or Insurance providers choose not to be the Merchant of Record (MoR) and process payments themselves. They avoid the complexities of setting up and managing relationships with payment gateways, acquiring banks, fraud prevention providers, and other institutions, and only maintain a technical integration with the PSP on behalf of their provider to forward cardholder data. The provider owns the business relationship with the PSP.

While this reduces OTAs' PCI compliance requirements, it also takes away control over their payment data. Without data ownership, platforms cannot gain the data utility to enhance marketing programs and improve payment outcomes.

bg iconbg icon

Working With VGS

Proxy Server

Reduced PCI Compliance Scope

Platforms can add a VGS Token Vault to their stack and leverage it to securely collect and store their end users' incoming sensitive payment data. Payment information (PAN, CVV, and more) can be received using an API for web or mobile payments or from the hosted VGS Collect solution. This is stored in tokenized form in the VGS Vault.

Since sensitive data never touches the platform's systems, offering platforms can reduce their PCI compliance requirements. This results in compliance cost savings, breach risk mitigation, and the redeployment of internal resources to other critical tasks.

Data Security

Data Security

At VGS, we convert sensitive payment information into randomized tokens, safeguarding against data hacks and ensuring data remains secure.

Tokenized data eliminates the risk of data breaches caused by older practices such as storing sensitive information in shared sheets and transmitting raw PAN and CVV information in person, in the cloud, by email, or even by fax.

Data Entry Automation

Data Entry Automation

Platforms can reduce the risk of data inaccuracies due to manual error in the complex double-loop payment process. Combining a headless browser and browser proxy facilitates automated data entry and integration with service providers without directly revealing sensitive information.

Platforms can use a headless browser (a web browser without a graphical user interface (GUI)) to collect information from their VGS Vault and automatically populate the end provider's desired web page.

A forward browser proxy from VGS can route the OTA web traffic and securely reveal the data to the travel service provider with minimal manual intervention or compliance exposure.

If the ultimate travel, insurance, or other service provider offered an API endpoint, and the OTA was integrated with them, automation would be even more straightforward with a standard, HTTP-based API. The data could be collected from the end user via API when entered into the web browser or mobile apps and stored as randomized tokens in the VGS Vault.

Ownership of Your Data

Control and Ownership of Your Data Without Being the Merchant of Record

With VGS, agent platforms do not have to add on the complexities of becoming the Merchant of Record (MoR) or have a direct business relationship with the PSP simply to gain access to their data.

They can offload sensitive payment data to their independent vault provided by VGS. Their data is secure in tokenized form while they stay PCI-compliant.

VGS Account Updater can be added to the VGS Vault to keep card-on-file information up-to-date, so any card data forwarded to the provider and their PSP has minimal chances of failing due to outdated information.

By working with VGS, offering platforms ensure that they keep control of their data and ensure its accuracy without being required to handle it directly.

Grow your Business

Grow your Business by Building in Provider Flexibility

When agent platforms own their end users' payment data, they can easily use multiple providers and avoid vendor lock-in. For example, if the initial provider can't provide a travel product or the carrier can't bind a policy, the platforms have options. Since they hold the end user's payment credentials in their VGS Vault, they can share them with an alternate provider.

If the alternate provider has a different PSP processing the payment, the offering platform can support that without needing a direct business relationship with that PSP, and just having the technical integration via API endpoints or browser proxy routes.

With the ability to compliantly access their end user's card details in a token vault, they can seamlessly send the information to the second PSP.

The platform can use the provider's credentials to automatically send the card details via API to the PSP to process the payment for both the initial and second providers. Direct integration with the PSP's API avoids the need for manual data entry or direct PSP relationships and allows platforms to use multiple providers.

New Payment Methods

Support Multiple Models and Expand to New Payment Methods

If an agent platform wants to move to the merchant model to handle payments directly and gain greater control over the transaction process and new payment options like BNPL, centralized payment data in a universal vault is a significant enabler.

The VGS Vault can tokenize all PCI and PII data types, and new providers can be easily integrated.

If a platform wants to become the Merchant of Record with direct PSP relationships and become PCI-compliant independently instead, VGS can enable its PCI Compliance journey.

OTA today
OTA VGS solution