BookNow: enhanced credit card collection — what’s changing and what you need to do

Follow

Summary

We’re rolling out a new, more secure way to collect credit card details inside the BookNow widget. Right now it’s optional — you turn it on with a checkbox in your BookNow settings.

Later this summer (target: August 1st 2026), enhanced credit card collection will become mandatory for all properties. Please switch over sooner rather than later so you have time to test on your live site without time pressure.

For the new mechanism to work, you also need to tell us which website(s) embed your BookNow widget — the Allowed Origins list. This document walks you through both.

Why is this changing

The new mechanism reduces the amount of sensitive card data that ever passes through your hotel’s website or our servers in plaintext. Card numbers go directly from the customer’s browser into a dedicated, isolated iframe served by our PCI-compliant tokenization partner. We only ever see a token, never the raw card number. 

What you need to do

Step 1 - Access BookNow Setup

  1. Go to Manage
  2. Access BookNow
  3. Click on Go to Setup

Step 2 — Enable the new mechanism

In your BookNow settings page, there are two new fields underneath the BookNow On/Off toggle:

  1. Tick Enable enhanced credit card collection.
  2. Fill in Allowed Origins (see Step 2 below).
  3. Save.

Step 3 — Set the Allowed Origins list

For security, the new iframe will only run on websites you’ve explicitly approved. List those websites in Allowed Origins as a comma-separated list of full https:// URLs.

Format rules:

  • Must start with https:// (insecure HTTP URLs are not allowed).
  • No trailing slash.
  • No path — e.g. https://example.com/booking → https://example.com.
  • Lowercase is recommended (we compare case-insensitively, but it’s easier to read).

Examples by hosting platform:

Where your website is hosted What to put in Allowed Origins
Your own custom domain https://www.yourhotel.com
(If customers also reach the site without www., list both: https://www.yourhotel.com, https://yourhotel.com)
Wix

https://yoursite.wixsite.com 

and/or 

https://yoursite-wixsite-com.filesusr.com (Wix sometimes serves embedded forms via their CDN)

Squarespace https://yoursite.squarespace.com (or your custom domain pointed at Squarespace)
Weebly https://yoursite.weebly.com
Blogspot https://yourblog.blogspot.com
Tilda https://yoursite.tilda.ws (or your custom domain pointed at Tilda)
Google Sites https://*-atari-embeds.googleusercontent.com — uses a wildcard, see the next section

Real-world examples of an Allowed Origins value:

  • https://www.fancyhotel.com, https://fancyhotel.com 
  • https://yourhostel.com, https://www.yourhostel.com 
  • https://*-atari-embeds.googleusercontent.com — for a property whose booking page lives in Google Sites
  • https://www.yourhotel.com, https://yourhotel-wixsite-com.filesusr.com — for a property running a Wix site that also has a Wix-CDN form

Special case: Google Sites

Google Sites doesn’t give your embedded iframe a stable URL. Every time someone loads your page, the iframe runs from a different https://<random-digits>-atari-embeds.googleusercontent.com subdomain. Listing each one is impossible, so we accept a single * wildcard in the hostname:
https://*-atari-embeds.googleusercontent.com

The * is allowed anywhere inside a single hostname label and matches any characters except a dot. That means it matches only the Google Sites embed pattern — not arbitrary subdomains of googleusercontent.com. You can use the same syntax for other hosting platforms that assign random subdomains, but in practice, Google Sites is the only common case we see.

What you do not need to list

  • Search engines (Google, Bing, etc.), social networks (Facebook, Instagram, TikTok), payment return pages (PayPal), or OTAs (TripAdvisor, Booking.com) — these link to your booking page, they don’t embed the widget.
  • HTTP URLs (only HTTPS is supported).
  • IP addresses or localhost.

What happens if I don’t set this up?

Today: nothing changes. As long as the checkbox stays unchecked, your BookNow widget keeps working exactly as it does now.

Once enforcement kicks in (later this summer, targeting August 1st 2026): BookNow will require the new mechanism for all properties. If your Allowed Origins list is empty or doesn’t include the website your customers reach BookNow from, the credit card form will fail to load on that page and customers won’t be able to complete bookings.

The migration is two clicks and one text field, so we strongly recommend turning it on now — that way you have weeks of buffer to test on your real site, spot any embedding URL we didn’t anticipate, and adjust without disruption.

How to verify it’s working

  1. After enabling the checkbox and saving the Allowed Origins list, open your hotel website (the one customers actually use to book) in a regular browser.
  2. Start a booking through BookNow.
  3. When you reach the payment step, the credit-card field will look slightly different — it’s now an embedded iframe. Enter a test card to confirm input is accepted (don’t submit a real booking).
  4. If the iframe loads and accepts input, you’re done.
  5. If you see a blank space, an error message, or the page fails to advance, the Allowed Origins list probably doesn’t include the URL you’re testing from. Check the URL in your browser’s address bar — the https://<host> portion is what you should add.

Need help?

If you’re unsure what to put in Allowed Origins, your site is embedded somewhere unusual, or something doesn’t work as expected after you switch it on, contact support and we’ll help you sort it out before enforcement begins.

Have more questions? Contact Support

Comments