The team has stated the need to define the API behavior needs for interoperability between travel verticals such as hotel, air, car, rail, cruise, tours and so on. A hotel booking, for example, is a hotel booking no matter if requested by a traveler or an airline. An air booking is a an air booking if requested by a traveler or a rail operator to make a connection. Or are they?
The team quickly identified several issues around security.
A major issue is the handling of PII data and following GDPR and similar regulations. The use case could be a traveler contacts a hotel to make a reservation but also would like to add some tours and the air/rail booking to get there. The hotel operator has the credentials of the traveler and has the permission to use that PII data but must be careful in how to do a booking with another service provider on the travelers behalf. of course this happens to by a travel agent (multi bookings on behalf of the traveler) but I can say from experience there are already GDPR issues with what is done today. For example the "forget me" request largely does not work. The team also noted concerns over how we handle data level security. Who can see what in the bookings?
The need is to crate user stories that illustrate the security and PII issues.
The team has stated the need to define the API behavior needs for interoperability between travel verticals such as hotel, air, car, rail, cruise, tours and so on. A hotel booking, for example, is a hotel booking no matter if requested by a traveler or an airline. An air booking is a an air booking if requested by a traveler or a rail operator to make a connection. Or are they? The team quickly identified several issues around security. A major issue is the handling of PII data and following GDPR and similar regulations. The use case could be a traveler contacts a hotel to make a reservation but also would like to add some tours and the air/rail booking to get there. The hotel operator has the credentials of the traveler and has the permission to use that PII data but must be careful in how to do a booking with another service provider on the travelers behalf. of course this happens to by a travel agent (multi bookings on behalf of the traveler) but I can say from experience there are already GDPR issues with what is done today. For example the "forget me" request largely does not work. The team also noted concerns over how we handle data level security. Who can see what in the bookings? The need is to crate user stories that illustrate the security and PII issues.