Compliance with payments regulation is a critical part of your responsibility to your customers and their data, writes Andrea McGeachin, commercial director of Ixaris
Payments regulations are probably the last thing on your mind. Running your business, speaking to suppliers, selling to your customers and addressing the issues that tangibly affect your organisation’s bottom line are your main priorities.
Compliance with payments regulation however – and in particular, PCI DSS – is a main priority, and a critical part of your responsibility to your customers and their data.
Maintaining customer trust
The Payments Card Industry Data Security Standards (PCI DSS) affect all travel businesses globally that handle card-based payments – that’s just about everyone. Airlines, hotels, OTAs, corporate travel bookers must all comply with these standards designed to protect cardholder data.
Compliance with PCI DSS demonstrates that your firm is doing the utmost to keep valuable cardholder data secure, minimising the fraud risk for your customers. The public disclosure of data breaches can create considerable reputational damage – if customers know that a travel firm cannot be trusted with cardholder details it’s highly probable they’ll take their business elsewhere.
While the scale of requirements differs according to the size of your business, Visa, MasterCard and the other card schemes can levy significant fines to any travel business that fails to comply. This can reach up to six figures for large organisations which repeatedly offend. In extreme cases, businesses can have their merchant services withdrawn, which could be a death sentence for some firms.
Can consumers trust travel firms with payments?
The travel industry has been slow on the uptake compared to other sectors in dealing with PCI DSS. Travel market research firm PhoCusWright conducted a global study of over 1500 organisations from across the travel industry value chain. Only 10% of travel suppliers and a marginally higher percentage of travel retailers considered PCI compliance a major payments challenge. Even worse, more than half of businesses surveyed were not even aware if their payments systems complied with PCI DSS.
The biggest payments concern for travel businesses is credit card fraud. Less than a fifth of online travel sellers report no online fraud and around half of traditional agencies report at least some fraud. Understandably, fraud is high on the agenda. Yet the fact of the matter is that if you want to reduce fraud, complying with PCI DSS is a very good place to start.
The seismic shift in the travel industry from offline to online bookings has presented tremendous opportunities for travel businesses, but also threats. Cyber crime is on the rise and many criminals view the travel sector as a soft target.
In recent years major organisations from numerous industries have hit the headlines after significant cardholder data breaches, with PCI DSS fines being levied on numerous occasions. The travel industry has remained relatively unscathed so far but it’s only a matter of time before it receives its own wake up call.
A public data breach at a major travel organisation would have damaging consequences for the whole sector. The last thing the travel industry needs – especially in times of economic turbulence – is for customers to lose trust.
Ensuring that your company does not fall foul of PCI DSS
You don’t have to be an accountant or compliance officer to understand the main requirements of PCI DSS. Some major OTAs still send full cardholder data (card number, sort code, card verification code – the lot) via fax. It doesn’t take years of experience in payments compliance to realise that this presents a huge fraud risk. But these kinds of processes are by no means atypical of the travel industry.
First and foremost, read the documents that the Payments Card Industry Security Standard Council (PCI SSC) provides on PCI DSS. The Council also provides helpful self-assessment questionnaires and a chart showing the tools available to help with compliance.
A route many travel firms choose to go down is to implement automated payments infrastructures which utilise strong encryption. There are several payments providers who offer these solutions tailored specifically to the payments challenges in the travel industry.
Many travel businesses fall foul of PCI DSS by retaining cardholder data for extended periods so that they can process payments in batches. While it’s easy to see the benefits of batch processing from an operational standpoint, it involves unnecessary additional risk. The best payments companies now process payments in real time so that the fraud risks are minimised.
Adopting a payments solution based around virtual prepaid cards could be the answer for many businesses. Virtual cards carry the same data as a physical credit card but are instead delivered electronically onto a computer screen. As cards are prepaid, firms are not exposed to the large fraud losses that might occur on a corporate credit card with a high limit.
Travel firms which make use of virtual prepaid cards never have to directly handle their customers’ cardholder data as the risk always lies with the prepaid card provider, providing an easy way for them to comply with the requirements of PCI DSS.
If travel firms are to choose to address PCI DSS, it is critical that they act before it’s too late.