PCI Pal chief information security officer Geoff Forsyth on giving your company the best protection possible
Businesses are often reminded of the importance of protecting sensitive customer data, particularly when data hacks and breaches are hitting the headlines. In fact, news of this nature has become somewhat of a regularity and serves as a stark reminder of the importance of assessing your data security practices for potential vulnerabilities.
For the travel industry, a high profile reminder came only recently when British Airways was handed a £183 million fine by the Information Commissioners’ Office (ICO) for a data hack that occurred in September 2018. This resulted in the payment details of approximately 500,000 customers being harvested.
The fine has been proposed under the General Data Protection Regulation (GDPR) and amounts to around 1.5% of British Airways’ worldwide turnover last year.
We need to be mindful that the travel industry is an attractive proposition to would-be hackers regardless of the size of your business. After all, you handle a significant amount of personal data on behalf of your travellers, with bookings requiring customers to provide their contact details, passport numbers, insurance policies, payment information and, in some circumstances, even medical information.
Ensuring thorough data handling and security practices are in place is not only important from a compliance perspective (to avoid potentially hefty fines), but also from a consumer trust and reputational perspective.
Having recently surveyed 2,000 UK consumers, we found that 35% of those interviewed cited the travel industry as one of the industries they consider to be the least secure with personal data.
With this in mind, how can travel companies build and safeguard their reputation among a wary public, while providing the reassurance that customers will value in terms of the way their personal data is being managed?
Are you compliant?
Firstly, developing and maintaining good data security procedures and policies is a continuously evolving task; there isn’t a silver bullet that will solve all of these issues. Ensuring that you comply with regulations should be a paramount concern.
Payment Card Industry Data Security Standard (PCI DSS) compliance is a particularly good place from where to start data security your journey. While compliance with the GDPR is considered relatively new, the PCI DSS has been in place since 2004 to support businesses in maintaining strict and diligent data security procedures relating to the way customers’ payment information is handled.
In my view, adhering to the PCI DSS offers the most practical first step on the journey to comply with the very latest data security rules. In doing so, it helps you stay ahead of the curve when it comes to the continually evolving pressure of information privacy.
In addition, it has been designed to govern the protection and handling of cardholder data and seeks to reduce fraud. While the standard applies to web-based customer service, it also includes more traditional methods, such as telephone-based contact centres, which are still well-used throughout the travel industry.
What needs to change?
Becoming fully compliant with PCI DSS means dropping the use of compensating controls- a work-around introduced to give organisations an alternative to security requirements that could not be met due to legitimate technological or business constraints. Research conducted by Verizon shows that the organisations that suffered a breach of security were more likely to be using compensating controls – for example using ‘pause and resume’ on call recordings when taking payment information over the phone.
The Verizon whitepaper also found that 60 percent of organisations are still using outdated ‘pause-and-resume’ to avoid storing sensitive data on telephone call recordings.
While in the short-term, this may act as an intended bandage, it’s not a reliable long-term solution. Relying on compensating controls will not prevent fraud or breaches, therefore it still places a business – and its reputation and revenues – at potential risk.
DeScope Your Contact Centre
Being fully compliant with PCI DSS takes away the need for a temporary bandage; instead it resolves the situation. The first step is to identify how to stop your organisation from being on a target list. So, rather than trying to keep hackers out, instead focus on encrypting your data and, where possible, ensure there is no data for them to take in the first place.
If descoping technologies are used for payments handled via a contact centre, sensitive payment card data never enters the enterprise and therefore the risk is removed.
Plus, if this is managed via smart cloud-based solutions that integrate with existing telephony and payment infrastructures, the process is seamless and creates no additional in-house IT burden or systems management.
Ultimately, ensuring that you comply with the standards imposed by the likes of PCI DSS and GDPR should be your number one priority when looking to insulate your organisation and your customers from the dangers of data breaches.
By staying within the bounds of these carefully considered standards, you will give your company the best protection it could have.
What is the Payment Card Industry Data Security Standard (PCI DSS)?
- PCI DSS is the worldwide Payment Card Industry Data Security Standard that was set up to help businesses process card payments securely and reduce card fraud.
- This is achieved through enforcing tight controls around the storage, transmission and processing of cardholder data that businesses handle.
- It was introduced in 2004 with the support of all five major credit card brands, namely Visa, Mastercard, American Express, Discover, and JCB.
- It governs the protection and handling of cardholder data and seeks to reduce fraud.
- The Standard applies to Web-based customer service and more traditional methods, such as telephone contact centres.
- Non-compliance can result in fines or even the removal of a business’s right to handle card payments.
- Compliance has 12 requirements, including that companies must install and maintain firewall to protect data, avoid using default passwords, use encryption to protect data and keep antivirus software up to date.