Credit card safety and cyber attacks in travel – everyone must take responsibility
Cyber attacks and data breaches are on the rise, with some reports showing that restaurants, retail, and hospitality were top targets for criminals for the fourth year in a row.
The target of these criminals is predominantly credit card and identifiable customer data.
According to the 2012 Global Security Report from Trustwav, however, the vector for obtaining access to the target data was not direct network attacks but through malware unsuspectingly installed by workstation users or staff.
In a recent article, I discussed the lack of payment systems for small tourism businesses and the effect that this has on local economies and access to diverse travel products.
But payment systems are nothing compared to the complexity and arbitrary interpretation that is PCI compliance and the world of credit card data security.
Given the global nature of travel and the vast diversity of merchants that make up the travel supply chain, is credit card security simply too difficult to achieve?
The Payment Card Industry Council is an organization made up of all the major credit card brands. They have developed a set of minimum security requirements to which every merchant who accepts credit card payments must adhere.
The purpose of the PCI data security standards (aka DSS) is to ensure that a minimum level of security is maintained when processing, transmitting, or storing credit card data.
The reason for the security standards is to improve awareness of the importance of security credit card data and to protect consumer credit card data from criminals.
The PCI DSS v.2, released in October of 2010, is a detailed 75-page document that outlines each security requirement and appropriate testing criteria. Reading and understanding the document is no easy task, which is why Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV) were created.
These specialized security companies, such as Trustwave, exist primarily to assist businesses to navigate the sometimes complex path to PCI DSS compliance. For small merchants, they provide vulnerability scanning and self assessments and for larger merchants they provide full onsite auditing and documention services.
In order to be PCI DSS compliant, every merchant or service provider must use the services of a QSA and ASV to validate compliance.
Thankfully, PCI auditing requirements are tiered based on the volume of transactions handled by the merchant or technology provider. For small businesses, the costs of auditing compliance are quite low, perhaps a few hundred dollars are year.
For larger merchants (those processing 6,000,000 or more transactions) or larger service providers (those handling over 300,000 transactions annually) the costs of Level 1 PCI compliance can range from $15,000 to $250,000 or more per year.
The amount will vary based on what PCI refers to as scope and the number of physical locations that need to be audited. Merchants or service providers that have a limited scope and only one physical location will have lower auditing requirements than one that has to certify it’s own data center environment and several offices.
The number of transactions and how the transactions are made will determine the type of security requirements a merchant must have in place. What is not known by many travel related companies is that capturing credit card information online in any way, means that the merchant is an ecommerce merchant and is subject to additional security requirements.
Even if the business is not an online merchant, the security of their supply chain can impact their compliance. For example, if you are a travel agent taking credit card information over the phone from a customer for a vacation package, you have to control how that credit card information gets used through your supply chain.
But PCI compliance is only valid if the entire credit card information flow is PCI compliant. This means that everything from the hosting environment, website, payment system, gateway, and reservation system needs to be PCI compliant.
What to do
There are several ways for businesses, especially those in the tourism industry to ensure they are protecting valuable customer credit card data.
Firstly, all businesses should be processing card payments through compliant payment gateways. Many travel related businesses tend to hold on to credit card information in order to process payments over time.
Although this is fairly common practice, it is frowned upon because of the risk to the card holder information. Many modern payment processors now offer recurring payment support. In this case, the original transaction is used to establish the payment profile and issue a token (in place of the credit card data).
The business can process additional payments to the same profile by sending the token along with appropriate payment details. This type of process is most common in higher priced packages or tours where multiple partial payments are made over time.
Still other businesses, including those in the daily activity space, capture credit card information at the time of booking which then gets processed at a later time, for example when space or weather conditions are confirmed.
The most common reason for this is so that the operator doesn’t have to refund the credit card if the tour cannot be confirmed or is likely to be cancelled prior to the tour date.
Real-time and up-front
This problem can be solved in two parts; firstly ensuring that availability is managed in real-time so that post booking confirmation is not required and secondly, by processing payment upfront and then refunding only when required.
The challenge of course is if the business has a very low confirmation rate, then this may result in more refunds than the operator may like, however, if that is the case, then the operator may need to evaluate the reasons for this and work on improving their processes.
Replacing any written credit card processes with electronic versions that use either a card swipe terminal or virtual terminal. As I mentioned in my payments article, there are many new service providers such as Square and PayPal Here that now support mobile credit card processing using smartphones.
These systems protect customer card data and ensure an electronic transaction trail that can be used for auditing and reporting purposes later.
Lastly, for all electronic transactions, look at what systems touch customer credit card data and be sure they are PCI compliant. Using a service provider that is already PCI compliant means that the business doesn’t need to worry about the portion of the process managed by the service provider.
This may be the website hosting provider or the software as a service reservation platform. The Trustwave 2012 Global Security Report says:
“The majority of our analysis of data breach investigations – 76% – revealed that the third party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers.”
As the report states, it is not uncommon for service providers to inadvertently put their customer businesses at risk. In this case, for example, the most vulnerable businesses are small businesses who generally outsource their infrastructure and systems to third parties.
To ensure compliance, the business should ask for evidence of compliance. This means ensuring that the systems meet compliance for the services that they provide for the business.
In other words, if the service provider is a reservation platform, the business should be ensuring that the service provider is being audited and is compliant as far as transmitting payment information on behalf of the operator. This is known as service provider compliance rather than merchant compliance.
At the end of the day, the security of the traveler should be the number one priority of any travel business. Whether the business is an airline, a hotel, an excursion operator, or a travel technology provider, if the business has reason to process, transmit, or store credit card information, it should be looking to not only meet but exceed PCI DSS best practices.
As more innovators look to develop systems for the travel industry, they need to keep in mind that consumer trust in travel is dependent on our ability, as an industry, to help ensure security throughout the entire purchase life cycle.
If consumers lose faith in the security of their credit card information, the travel industry, which is dependent on credit card transactions, will be negatively affected.
Stephen Joyce is a contributing Node to Tnooz and has been working as a travel and tourism technology consultant since 1995. Stephen is the CEO of Rezgo.com, a cloud based software as a service reservation and booking platform for tour and activity providers.
Stephen is the Board Chair of the OpenTravel Alliance.
Stephen is a graduate of Capilano University, is a certified commercial pilot, and holds a certificate in IT Management. His personal blog is the Travel & Tourism Technology Trends.