As part of our ongoing commitment to protecting agency and traveler payment information, Xstream continues to enhance platform security through new PCI compliance initiatives. These updates are designed to help agents reduce risk, strengthen data protection practices, and align with the highest level of Payment Card Industry security compliance.

Here is a summary of the new steps for accessing the client’s credit card and CVV code from the vault to complete payment with the supplier:

  • The full card reveal is designed as a one-time reveal for the security of both the client’s credit card and CVV code.
  • Use the Email Payment Authorization Link to send the payment form to the client(s) to complete.
  • Once they complete it, the agent will receive an email, and the payment will show up on the Payment Report on the Dashboard. This is also shown by the red flashing button, so agents know there are payments that need to be processed with the supplier.
  • Once the agent clicks the ACTION button to the right of the payment they are ready to process within the Payment Report, it will take them to the Payment area of the booking to retrieve the payment information. The agent needs to be sure they are ready to complete the payment with the supplier before completing these steps.
  • The agent will click the RETRIEVE and PROCESS button, which will email an OTP code to the agent’s email. This will then open a box with the credit card information that will be called into the supplier to complete the payment. Before completing the payment with the supplier, the agent will need to click Email CVV Code. This will email the agent a CVV code. The agent will also receive an OTP code for the CVV code, and then the CVV code will be emailed to the agent.
  • Once the agent clicks to reveal the credit card number, they should keep that reveal window open until they also receive the email with the CVV code. They should then contact the supplier to complete the payment.


Best practices should be

  • Do not click reveal until the supplier is on the phone or the supplier payment page is open and ready.
  • Do not refresh, close, or navigate away from the reveal screen after the card is shown.
  • Do not click Remove from Vault until the supplier payment is confirmed as approved or the payment is intentionally voided.
  • If the supplier site fails, keep the reveal window open while reloading or retrying the supplier page.
  • CVV should be requested only when ready to submit payment because the CVV secure link is also one-time use and expires quickly.
  • Currently, the card number is not on a short countdown once displayed. It remains visible while the reveal modal/page remains open. However, the reveal itself is consumed one time, so if the agent closes, refreshes, or loses the page, we should not allow repeated full-card reveals by default.

See our Quick Sheet here! 

Xstream_Secure_Payment_Processing_Procedure.pdf 



Support

Additional training is located on your XstreamCRM under the Training Menu. You'll find step-by-step tutorials on how to record your bookings and manage your clients. 

If you need additional support, please submit a support ticket directly from your XstreamCRM under the "CRM Support Tickets," tab. Please also request access to the XstreamCRM Facebook page here