Customer spotlight: How eWAY helped bookitLive become PCI-DSS compliant

Discover how eWAY helped bookitLive become PCI-DSS compliant

Launched in 2008, bookitLive provides businesses big and small with the ability to instantly start taking online bookings, sell vouchers, packages, session passes and memberships.

The brainchild of David Godbold and Craig Dickson, BookitLive was designed to help businesses reduce ‘no-shows’, last minute cancellations, and improve the overall booking management and selling experience with secure cloud-based technology.

With two health-based companies piloting the software, bookitLive began being approached by large international businesses such as Groupon for their service-based businesses. Around this time, bookitLive decided to offer payment services through their booking software.

They became aware of the Payment Card Industry Data Security Standard (PCI-DSS) — a set of guidelines that all businesses that process or store card data electronically must meet.

But David says they were under the false assumption that they would be covered if they connected to a payment provider that was PCI-DSS compliant — eWAY in this case.

“Our system allows people to book online without taking payment, and if we were facilitating a payment, it would be done through our third party payment provider, which means there wasn’t any payment information to steal in the first place,” David says.

This was a false assumption because PCI-DSS compliance extends beyond the actual payment transaction. In fact, there are a number of shared responsibilities between you (the business owner) and your payment provider (for example, eWAY) that need to be met.

As a business owner, you are responsible for your computer and website security, how you keep and store physical records, and what you do with sensitive information sent via email and provided over the phone.

While bookitLive doesn’t capture payment data for the businesses that use their software, they are still required to meet the compliance requirements, such as ensuring their computers and website are protected by firewalls and their antivirus software is always up-to-date.

“We had previously looked at what we would have to do to become PCI-DSS compliant. However we never pursued it because it seemed like it was going to be expensive and take a long time to execute. Not to mention, we didn’t think we needed to,” he says.

David says becoming PCI-DSS compliant can look like an overwhelming task at first, with little to no guidance available on how you should go about achieving compliance with these standards.

“When we were offered eWAY’s security tool (powered by SecureTrust), it looked like an easy process. We could complete a self-assessment easily by running a scan that would automatically tell us what areas [as a business] we were compliant in and where we weren’t.”

David says although it initially seemed daunting and complex, eWAY’s security tool streamlines the process by laying out a path of what you need to do.

“Once we had the tool and we ran the scan, we knew what we needed to do. It didn’t take as long as I thought it would,” David says.

The scan revealed that bookitLive needed to update their operating system in order to be PCI-DSS compliant.

With many of the businesses they partnered with shutting down in the first lockdown in Melbourne, as well as their third party developers, bookitLive saw the downtime as an opportunity to update their system to become PCI-DSS compliant. 

“It took us about a month to do. We had to set up a new online environment and a cloud server. As part of the upgrade, we also changed hosting providers,” David says.

When security is raised by businesses that are looking to partner with bookitLive to increase the distribution of their products and services, they reassure them with their Certificate of Compliance from SecureTrust, a leading global cybersecurity and managed security services provider focused on threat detection and response.

“When you’re talking to larger corporations who have whole teams of security people, they love digging into PCI-DSS compliance. It’s their job to look for the holes in systems that could impact the payment process and the reputation of the company they work for,” he says.

“It’s good knowing we’ve ticked this off. Having the compliance certificate reassures new and existing customers we’re safe to trust.” 

eWAY offers all customers heavily discounted access to SecureTrust’s security tooling through it’s Merchant Trust Initiative.