presale questions: is the customers PIN code not a huge security issue?

  • Resolved przla

    (@przla)


    2 years, 9 months ago

    Hi, it seems like you guys have done a great job with this piece of software. But I have some pre-sale questions that I cannot find any answers to.

    As far as I have understood from that small information base from the docs is that if a customer enters an existing PIN code the

    the billing information fields will populate automatically

    – This makes me wonder how secure this approach is and what steps you have done in the backend to handle this security issue? As I have mentioned the documentation is really really small so there are many open questions.
    – Can I just try and error to get all the fields populated?
    – Is there another way to handle this approach? For example if a customer enters a pin a background task will check if this exists- if yes, something custom will happen, – if no, nothing happens.
    – Maybe the coupon-functionality is something I am looking for. But I would like to get the list of available coupons from another server or maybe a secured file on the same server. Would that be possible?

    Other questions:
    – Do you have a changelog?
    – How heavy or lightweight is your plugin? Does it slow down a website. Based on links and reviews here on wordpress I have seen some really slow pages (but that might be due to bad configured wordpress-themes and other stuff unrelated to your plugin – but it also might be your plugin. I don’t know).
    – Can I use a calender without your Channel Manager if I just want the iCal-function?
    – Is there a community somewhere else. This place seems a bit quiet.

    Thank you very much!

    EDIT:
    – Can I change a customers PIN afterwards?

    • This topic was modified 2 years, 9 months ago by przla. Reason: added question
Viewing 1 replies (of 1 total)
  • Plugin Author e4jvikwp

    (@e4jvikwp)

    Hi,

    Thanks for your detailed questions. We are going to drop some comments to clarify some of the points you raised, but for any other technical or commercial question you may have on the Pro version of the plugin, we invite you to reach our to our team directly through our website where you will find an apposite contact form.

    PIN Code:

    The PIN code is a quite safe alternative to forcing the guests to create an account on your website to complete a reservation or to log into their existing account. The PIN code is a 10-digit unique and random number, and the probability to guess it is likely one in 10 billions (~10^10). Also, PIN codes are widely used among some OTAs too, even though they sometimes link the PIN codes to the reservation ID.
    However, for a single-vendor website where Vik Booking would be installed, this is a very safe operation we guess. Moreover, in terms of security against brute-force attacks, we secure the AJAX endpoint with a CSRF token to prevent bots from trying to guess a PIN code.
    Lastly, the PIN code will reveal just the latest billing information used, it will not grant access to any administrative section. As you’ve noticed, there’s a dedicated configuration setting in case you want to turn off this feature, and of course the PIN code is something that could be modified at any time for any customer from the apposite back-end customers management page, which is only available with the Pro version of our plugin.
    If you visit the official demo website of Vik Booking you can see how the PIN codes can be modified for each customer.

    Coupon codes:

    The valid and accepted coupon codes must be saved on the same WordPress database where Vik Booking is installed. However, with a custom Cron Job you could have such codes imported from an external server and stored onto your database. With the Pro version of Vik Booking it is possible to declare a custom Cron Job by creating a custom WordPress plugin that uses a specific hook triggered by Vik Booking when loading the Cron Jobs framework, which is based on the official WP Cron system. We are about to release an update for Vik Booking (version >= 1.5.10) that will improve the whole Cron Jobs framework.

    Changelog: we do have one, and you can find it in the official trunk directory of the plugin. The file is called changelog.md, and we have one for the whole plugin as well as one for our own PHP libraries.

    Heavy or Lightweight: Vik Booking is definitely a lightweight plugin, which was coded with the attention to efficiency in over 10 years of experience with properties of any size. For example, we’ve got some clients that have been using our full solution comprehensive of the Channel Manager for years, who manage hundreds of Airbnb listings, something like 800+ listings or 200+ Booking.com accounts. They count millions of reservation records stored in Vik Booking, but the efficiency and the performances of our software are always at the top. Of course what gets bigger in these cases is the size of the database, but for regular properties with around 50 rooms or less, you can expect an average growth of the database by a few MBs per year.
    For sure we cannot control the speed or the connectivity bandwidth at software-level, but we can guarantee our plugin is fast. Not sure what links or pages you saw, probably some staging websites from questions posted to this forum, but we do not have any public portfolio section on our websites because ours is a commercial plugin which is most of the times delivered to the property managers by webmasters, programmers, designers, web-agencies etc..

    Community: we don’t have a community on our websites, but we do have a Support Board for our clients who can use it to open support tickets at any time.

    Feel free to get in touch with our team should you have any other technical questions. Thank you!

    The VikWP Team

Viewing 1 replies (of 1 total)
  • The topic ‘presale questions: is the customers PIN code not a huge security issue?’ is closed to new replies.