The ability to properly handle your customers’ credit card details is essential for the success of any Travel Management Company.
Your customers rely on you to use and store their credit card details safely and securely. The sad truth is that this is not always possible and customer credit card data is often stored insecurely. When this data is made vulnerable, your customers are the ones at risk and any incident could lead to a devastating loss of confidence.
Put it on my card
Credit card payments are, unsurprisingly, very common in business travel due to the large volume of relatively small transactions that are made. An expectation of many customers is that you will store their credit card data to make future bookings easier. What they don’t understand, however, is the position this puts you in.
The official line is that credit card details, particularly CVV numbers, should not be stored once they have been used to pay for upcoming travel. Following this to the letter would require you to request, use and then destroy this information for each and every booking.
Some TMCs have dealt with this problem by claiming that, in accepting credit card details, they have entered into an agreement to provide on-going travel arrangements. This is one interpretation of the rules that has, up to now, worked to the satisfaction of these TMCs and their customers. Nevertheless, the way these details are transferred between the GDS and back office systems continues to raise concerns.
Remarkably insecure
PCI DSS requirements state that all authentication data should be rendered unrecoverable after the authorisation process has been completed. It even requires that CVV2 numbers are not stored at all and that no data should be transmitted or stored in a way that is easily readable.
In many cases however, due to a lack of PCI compliant integration between systems, this sensitive data is being transferred in the unencrypted remarks fields of bookings. While GDS’ do provide the ability to encrypt credit card data in standard payment fields they are often needed in unencrypted form to make payments for net fares, low-cost airlines, hotels and ancillary items.
In 2013, Travelport sent out an email to TMCs stating that the practice of using plain text or remarks fields for credit card data needed to end; acknowledging there is a problem but not providing a solution. Unfortunately, for many TMCs, no workable alternative exists.
Is ignorance really bliss?
The short answer is no. As tempting as it may be to bury your head in the sand, it just isn’t an option when the security of your customers is at risk.
Some TMCs take the view that once the details are entered into the GDS they are secure and, therefore, there is no problem and no need for customers to worry. But the need to change how credit card details are transferred to the back office is still at large since new PCI DSS standards call into question all systems on the same network as those that store the credit card information. In light of this, it is difficult to maintain the view that a secure GDS takes care of your PCI DSS compliance.
Finding a solution
Ideally, the solution to this problem needs to work for all TMCs, from the very smallest up to the industry’s giants, but a lack of industry-wide standards makes finding a solution more difficult. There’s also a need for clarification on the rules following recent changes to PCI DSS and for TMCs to understand if their past interpretations of the standard still hold any water.
Industry wide solutions can only come from everyone involved first agreeing a solution is needed. Discussion between GDS vendors, TMCs, their customer and the PCI Security Standards Council is a must.
In the meantime, TMCs will have to continue to make their own decisions about how to comply with PCI DSS requirements and to develop their own solutions for doing so.