PCI Proxy & Payment Processing

Frequently Asked Questions

Process Overview

Q: How does PCI Proxy work for my property?

A: Reservations from online channels (e.g. Booking.com) arrive with credit card details. Card data is immediately secured via Peach PCI Proxy — your property or HTI never handles raw card numbers. The details are tokenized and stored securely in NebulaCRS. The reservation is then guaranteed and sent to your PMS. Virtual cards are charged automatically via NebulaPAY, with payments posted to NebulaCRS and then synced to your PMS.

Q: When are virtual cards processed?

A: New virtual cards are checked for processing every 15 minutes. The channel provides the virtual card amount and the charge date, and the virtual card will be charged with that amount on the date specified.

Q: What is NebulaPAY and how is it configured?

A: NebulaPAY is HTI's payment processing service that handles virtual card charges and posts deposits on reservations. It is configured by HTI and works in conjunction with Peach Payments. Once a payment is processed, the deposit is posted against the reservation with a reference in the format: CRSRESNO_RandomString  — allowing for easy auditing and tracking. This reference is also reflected on Peach Transactions.

Q: Where can I see virtual card details on a reservation?

A: Within Call Center, navigate to the reservation under the Payment section. Here you will be able to see whether a VCC is attached to the reservation, the charge date, and whether the charge was successful (Yes or No).

Q: What happens with non-virtual credit cards?

A: Non-virtual credit cards are processed as per your normal standard operating procedures (SOPs). Future development includes enabling guests to pay directly via Peach Payments using the tokenized card. Using the channel payment letter email template, the guest will be sent a secure payment link derived from their card token, through which they can complete their payment directly.

Q: What about reservations received before NebulaPAY and PCI Proxy were enabled?

A: Only reservations received after NebulaPAY and Peach PCI Proxy have been enabled for your property will have credit card details and automatic VCC processing. Reservations received prior to activation will need to be processed manually, unless the booking was subsequently modified on the channel — in which case the updated reservation will pass through the proxy and card details will be captured.

Configuration & Opt-Out

Q: What if we do not want PCI Proxy or automatic VCC charging?

A: That is perfectly fine. NebulaPAY and automatic VCC charging does not need to be configured and is enabled on a per-property basis. However, reservations from channels will still need to pass through the Proxy URLs regardless. This ensures that if credit card details are received, they are captured and stored securely — even if no automatic processing is configured.

Q: Is PCI Proxy enabled for all properties automatically?

A: No. PCI Proxy and NebulaPAY are enabled on a per-property basis. Contact HTI to have these configured for your property.

Troubleshooting

Q: What should I do if a virtual card payment fails?

A: Your property operations team should check the reservation memo on the PMS, CRS, or Property Notification memo to resolve the issue. If necessary, retrieve the card details from the channel extranet and process the payment as per normal SOP.

Q: What should I do if no deposit is posted but I can see the payment in Peach Payments?

A: Follow these steps: (1) Check the reservation memo for any errors. (2) Check if the deposit is on the reservation in NebulaCRS or the Call Center. (3) Check if the deposit is on the PMS interface monitor. If you still require assistance, contact the HTI connectivity team at hticonnectivity@htihospitality.tech.

Security & Compliance

Q: Is HTI PCI compliant?

A: Yes. HTI is PCI DSS compliant (SAQ D Service Provider). We work in strategic partnership with Peach Payments (PCI DSS Level 1) to ensure the highest standards of data security and end-to-end encryption for all transactions. HTI holds a PCI DSS AOC for SAQ D Service Provider (2026).

Q: Will I be able to see credit card details?

A: No. All credit card details are stored within a secure token. Neither your property staff nor HTI has access to raw card numbers at any point.

Q: What is a Card token?

A: A card token is a randomly generated string of characters that acts as a secure substitute for a real credit card number.

When a guest's card details pass through Peach PCI Proxy, the actual card number (PAN) is replaced with a token — for example, something like tok_4f8a2c19e3b7. This token is what gets stored in NebulaCRS instead of the real card data.

The token has no value on its own and cannot be reverse-engineered back into a real card number. Only Peach PCI Proxy can "look up" what card it refers to and use it to process a payment.

In practice this means:

• HTI NebulaCRS can store and pass around the token freely without any PCI risk

• When a payment needs to be made, the token is sent to Peach, who resolves it back to the real card and processes the charge

• The guest never sees the token — it's purely a backend reference

Q: Can other payment gateways read card tokens from PCI Proxy?

A: No. Tokens generated by Peach PCI Proxy can only be read and processed by Peach PCI Proxy. They are not compatible with or transferable to any other payment gateway.

Channels & Compatibility

Q: Which channels support virtual card auto-processing?

A: The following channels are supported for virtual card auto-processing: Booking.com, Expedia, Agoda, Hotelbeds, Flight Centre, and SU/Staah. If a channel sends virtual cards, they will be handled automatically. Booking.com is the first live channel, with others to follow.

Q: Are there other PCI Proxy services available for card details?

A: Not at this stage. Peach PCI Proxy is the only supported service for securing card details within the current NebulaCRS integration.

Q: What about local channels or channels connecting directly to NebulaCRS?

A: Local channels or channels connecting directly to NebulaCRS will need to contact the HTI product team for more information and will be reviewed on a case-by-case basis. Please reach out to products@htihospitality for guidance.

Card Processing

Q: Can virtual cards be processed manually?

A: No. Virtual cards cannot be processed manually. They are handled automatically through NebulaPAY and the Peach payment gateway on the charge date specified by the channel.

Q: What about guest cards being processed automatically or manually?

A: Auto and manual processing of guest (non-virtual) cards is planned as a future development item and will be communicated once available.

Q: What future payment processing options are planned?

A: Two options are in development: (1) a card token sent to the guest so they can make payment directly through Peach Payments, and (2) a manual non VCC processing button in the call center reservation screen using the CC token.