Is Your Book Now Button Failing the Booking Security Test?

How do you know if your booking web security is broken, out of date, appears unencrypted, or displays scary warnings messages? The only answer is to test, configure, and test again. This post is for hotels, tour operators, tourist attractions, and travel agents who accept bookings online.

Book Now Button Security Test Post

Don’t lose bookings due to a problem with your “Book Now” page security. Would you book a B&B if you got a warning about the encryption being obsolete? How about paying for a day tour using a credit card entry page that looks as if it is hosted on an insecure URL? I wouldn’t and many of your web-savvy customers feel the same. Stop booking abandonment due to your security failings with this travel industry guide.

Learn how to detect and fix your booking button and travel website security. Take this quick test to make sure that you are not losing hotel, B&B, tour, attraction, or any online trip booking due to fixable security mistakes.

Test #1 – Is Your Booking Page Encrypted using SSL over HTTPS?

Yes that’s a lot of acronyms, but it’s simple to understand and test. Browse to your direct booking page. You know – the one that is linked from your Book Now button. Act like a typical travel consumer who decides to make a booking and is convinced to book direct (aside: read my how to get more direct bookings post).

On the booking page that asks for dates, names, or payment information, look at the URL bar of your browser and ask yourself if it looks secure.

Chrome Browser Booking Page SSL Connection Valid

Does the URL start with HTTPS:// or does HTTP:// (note the missing S from “Hyper Text Transfer Protocol Secure“) appear at the beginning? Consider the difference. People are taught to look for URLs that begin with HTTPS as an indication that the request and response (the information sent and received over the public Internet) are transmitted over an encrypted communications channel. That is what is meant by SSL or secure sockets layer encryption. If your URL does not start with “https://” and therefore your booking page does not use SSL to protect personal and financial data, find out why.

Next look for the padlock graphic which tells people that the Web connection via the Internet is encrypted in both directions. People are also taught to look for the padlock icon before they make an online purchase as confirmation that a web page is safe and secure. The location of the padlock security icon varies based on whether you are using Chrome, Internet Explorer, Firefox, or Safari. Typically it is next to the URL but it may be at the bottom in some older browsers.

Here is an example of a hotel booking enquiry page that fails the test. It is supposed to be encrypted since the link is specified as https. Unfortunately the encryption is not happening as indicated by the x across the padlock and “https” crossed out in red. Clearly the security is broken so what is that telling travelers who were almost ready to make a booking?

Booking Equiry https and padlock crossed out

Firefox page level security information looks different than how Google’s Chrome browser displays it when the padlock is clicked. Here is an example of how Firefox may be warning your potential guests about the lack of a fully secure booking engine.

Firefox Hotel Booking Engine Page Encryption Details

Test #2 – Is Your SSL Certificate 100% Compatible and Up to Date?

Having a website which can accept personal information and payment details securely is an absolute must. You hopefully passed test number 1, but have you inspected your SSL certificate lately? Remember, the SSL certificate is what enables your website to communicate using encryption without anyone listening in. Is it valid, non-expired, and using the latest technology?

Unfortunately many times I uncover B&B and tourist attraction websites that are using an obsolete certificate. It may be using an older technology standard or not be fully compatible with all the latest browser requirements. I often stop to think whether I should trust the site, especially if I’m looking to book a hotel or tour using a public Wi-Fi connection. Someone might be listening in and I don’t like to take any chances while on vacation.

To test take a look and see what your own site’s SSL implementation says about security. Is it throwing up warnings and indicators that the encryption may not be as complete and foolproof as you thought? Here is one reservations system that makes me a bit uneasy since it is both encrypted and not encrypted at the same time. How is that even possible?

Reservations System SSL Encrypted or Not Encrypted Wording

The best way to test is to go a step deeper beyond just looking for the visual padlock indicator like in Test #1. Click on the padlock icon (left or right-click to inspect depending upon browser and operating system) to view the SSL certificate properties window. What does it tell you? Does it say anything worrisome that would make a travel consumer pause and reconsider before they decide to input their credit card number?

For example in this screenshot of a hotel with a reservations request form page, the SSL info pane is warning your visitors about potential security failings. While the connection may be SSL and secure in general, it is not up to date according to the Chrome browser. Yes in reality it may be good enough for now, but that doesn’t mean you won’t scare off a few people that were otherwise ready to make a booking.

Hotel Inquiry Form Obsolete SSL Encryption

Test #3 – Is Your Booking Engine Hosted in a Frame on an Insecure Page?

Are you hosting your booking engine within a frame on your website? A frame is what it’s called when you embed one website inside another. Both the outer frame and the inner frame have their own URL so it’s like looking at two websites at once. Just like you can embed a photo or video onto any web page, you can embed a completely different website inside a box called an HTML frame or Iframe element.

In this odd setup when someone clicks your “Book Now” button, the booking form is shown inside a box surrounded by your website content. There is no border so it looks like one page and one website when in fact the visitor is looking at two different websites at once.

This technique is sometimes done when your booking engine vendor uses an embedded hosting option. So the advantage is that people think they haven’t left your website to make a booking. The bad thing is that the security signals get lost with this setup. It helps to show an example of a hotel website that hosts their booking web page in an iframe.

Hotel Booking iFrame No Padlock SSL

It appears at first glance that the visitor is still on the hotel’s website since the URL (the domain part; redacted to protect privacy) listed at the top doesn’t change from when they were reading about the hotel’s rooms and rates. The problem arises because this site is hosting mixed content – secure and not secure – at the same time.

The example hotel website above is not encrypted which is normal while the framed booking engine is configured to be encrypted using SSL as it should be. This complex security setup may not be obvious to your guests since by default a browser only displays the security for the parent or top-level frame.

Remember that the user only sees the URL in the bar at the top of the browser which makes it seem that the combined web page is NOT encrypted. Plus there is no padlock icon to show that encryption is working. Sending mixed messages by using a frame for your booking system looks insecure even if it is completely secure. This might stop a potential booker in their tracks when they look for but fail to find the secure URL or icon.

This type of booking engine integration is fortunately becoming less common as there are few reasons to put your booking form in an html frame. There are better and more standard ways to integrate with your booking system vendor. Give them a call if you are still using this method.

The most common way if you cannot seamlessly integrate your booking engine into your website is to hyperlink to it. When a travel consumer is convinced to click the “Book Now” button, they can be taken to your hosted booking page which is branded with your hotel or travel business name. A best practice is to open your booking inquiry, availability, or direct booking page in a new window or browser tab. That way anyone can refer back to your hotel or tour website details without losing their place in the booking process.

Test #4 – Is the Mobile Version of Your Website Equally Secure for Bookings?

This last test is critical because every year more and more bookings and booking inquiries are made via a smart phone, cell phone, mobile device, or tablet. Are smart watches next? They all handle web browsing and security in a similar way. When someone visits your website in a mobile browser, the device will request your mobile-friendly website. Whether you have a separate mobile web template or if your website scales automatically to fit a small screen, you need to test mobile security too.

Even if your website looks less than perfect on mobile (save that task for another day), your security must still be trustworthy. The example to follow is one of the major online travel agency (OTA) sites since they have the staff and resources to get it right.

Here is a screenshot from showing the Book Now screen. By clicking on the padlock or via the site or security info button in the menu, any user can check to verify that the booking process is secure on mobile.

Hotel Mobile Booking Site Security SSL Info

You can’t be expected to own every type of smart phone and mobile device for testing so you’ll have to ask for help to take this test. You’ll want to click from your own website to your direct booking page on the most popular devices. This includes iPhone, iPad, Android phone and tablet, Windows mobile, and hopefully a few models (old and new) of several devices. To find out which devices are most popular among your own visitors and guests, use Google Analytics or Webmaster Tools to view the “Mobile Devices” report.

Test to make sure that the same security that works on desktop browsers also works equally well on mobile. It pays to offer the same assurances that your mobile booking engine is SSL encrypted, secure, and trustworthy regardless of device. You can also use this opportunity to test if your mobile booking forms are compatible with different browsers because if they don’t scale well or can’t be used on certain devices, you are bound to lose bookings.

Booking Security Test Results

So how did you do? If you accept hotel reservations or tour, attraction, and vacation packages bookings online, it is critical pass the browser security checks. It may be impossible to calculate how many bookings are lost when visitors detect a security lapse or flaw and abandons a booking due to real or perceived security failings.

When a potential guest does not trust that your website and booking process are safe, they are more likely to browse and book elsewhere. If you’re lucky they’ll complete a booking using their favorite OTA website instead, saving you a booking but costing you the could-have-been-avoided commission. If you are not lucky, the person will book their second choice hotel or tour and you’ll have no idea what happened.

Bonus Tip: Test with Norton and Popular Internet Security and Anti-Virus Software

Many consumers have installed anti-virus software packages that scan for malware, spyware, and provide browser plug-ins to protect their customers. When they browse the Web these security utilities will verify that a domain is trusted while blocking unsafe sites. The popular Norton application that I use and recommend for comprehensive Windows and Web security has a “Safe Web” feature that does just that.

Have you tested to see if your website is listed as trustworthy and safe by Norton? Unfortunately with this hotel booking site example, the safety report says that the website is lacking in privacy and encryption. Do you think this warning is enough to lose bookings?

Norton Safe Web Hotel Encryption Warning

Booking Security Summary and Your Thoughts

Busy professionals and business travelers won’t have the patience to deal with your security lapses. Given the far too numerous website hacks in the news recently, there is a strong demand for e-commerce web security when a credit card is required to make a booking. Your travel site needs to pass these tests to gain more booking conversions and to protect your customers now and in the future.

It is essential that you consult with an IT and web hosting expert to implement the optimally secure option for your travel booking website. Disclaimer: Every website is different so only a web security specialist can offer the solutions to protect your tourism business and your customers.  Talk to your web hosting company or website design firm and ask the tough questions so you can pass all of the above tests.

And once your encryption, hosting, mobile, and travel web security improvement have been implemented, test regularly to be sure you are offering the level of privacy and security expected by travelers around the world. Add your comments below to describe your own booking security concerns and suggested improvements.

Leave a Comment:

Get "101 Tips to Get More Bookings" with our Email Training Series (Free)