Security is a huge issue for companies that handle credit card information. While on the one hand they need to make it easy for people to make payments, they also have to make it as hard as possible for hackers and fraudsters to access the sensitive data involved. And just as the criminals are working 24/7 to find new ways to break in to the technological vaults, businesses need to see data security as an ongoing battle that requires their continuous attention and appropriate resources.
The PCI standard
The Payment Card Industry Data Security Standard (PCI DSS) was introduced in 2006 to ensure that companies working with credit card information (accepting, processing, storing or transmitting data) do so securely. The Standard itself is administered by a dedicated body, the PCI Security Standards Council.
A key focus of the PCI Standard is to ensure that all credit card data is transferred securely over a computer network or the internet. However, what is considered a safe method of transfer one day may be vulnerable to attack the next. To address this, the PCI Security Standards Council monitors the security of its recommended protocols against evolving threats and vulnerabilities and issues updates to the Standard as required to tackle the newly identified risks.
The cost of failing to comply
In 2015, New Jersey (USA)-based Verizon Enterprise Solutions published a report on PCI Compliance based on casework data it had gathered through PCI assessments on Fortune 500 companies and large multinationals in 30+ countries. According to its research, the majority of the companies that suffered data breaches in the past had lower than normal compliance with several of the PCI DSS controls, and none of those that had been breached were fully compliant at the time. Of the businesses that had been PCI compliant at some stage, only 29% were still compliant less than a year later. The main reasons given for companies 'falling out' of compliance are due to their own failure to test security systems regularly, to maintain secure systems and to protect stored data. This shows that the challenge of maintaining data security is a huge problem for everyone, even the biggest companies with (you would think) all the resources they need to throw at it.
There are huge costs associated with failure to comply. According to Verizon's 2015 report, 69% of consumers would be 'less inclined' to do business with a company that had suffered a data breach, so there is an immediate knock-on effect in reduced revenue and reputational damage. If that wasn't enough, the fines involved are huge and set to get even bigger for Europe based businesses.
To give you some idea of the sums involved, in 2015, UK-based SMEs and large organisations paid out an estimated £1.4bn in fines for security breaches. In 2018, the new EU General Data Protection Regulation (GDPR) that seeks to unify data protection laws will come into force. If the number of breaches among UK companies remains at 2015 levels, in 2018 they would be paying out £122bn in fines (if the highest GDPR fine rate of 4% of global turnover was applied) with an average fine of £11m per large organisation and £13,000 per SME.
Data breaches are costing billions ©Rawpixel/iStock
UK in GDPR?
While it is not clear what rules will prevail in the UK after Brexit, it is likely that the UK will still be part of the EU when the GDPR becomes law. Even if it is not then it will still have to have consistent standards and processes of its own to convince others it is a suitably secure place to do business.
Whatever happens, the UK Information Commissioner's Office has already issued a warning that it is likely to align its powers to fine companies in line with the GDPR (to a maximum of 4% of global turnover) and urged organisations to take responsibility for the risks they create for others and to do everything they can to reduce them.
What does this mean for travel managers?
In short, take nothing for granted.
The travel industry is made up of intertwined service providers — airlines, rail companies, car rentals, taxi firms, chauffeur services, hotels and other accommodation providers to name just a few — the majority of which will be taking payments and storing data. Given that so many companies are failing to comply with the full PCI Standard (based on the number of reported breaches and the size of the fines) you would be wise to ask for proof that the companies you do business with are taking the necessary measures to safeguard the personal payment data you send their way.
After all, if they are not keeping it safe then your own customers and clients could become the victims of credit card fraud or other cybercrime. And while you may not be directly responsible for a security breach (for example, if you book clients into a hotel and that hotel's booking system is subsequently hacked) your clients may find you guilty by association and question whether you had undertaken sufficient due diligence.
That said, there are plenty of signs that factions within the travel industry are taking the issue seriously. For example, the airline members of the International Air Transport Association (IATA) have demanded that their umbrella organisation provides the necessary support to help the many accredited passenger sales agents using the IATA's Billing and Settlement Plan (BSP) payment system to become PCI compliant, recognising that the compliance of the payment chain is only as strong as its weakest link.
Compliance is not enough
While complying with the PCI DSS means that a company is addressing known security issues, it is not a cast iron guarantee of data security. PCI compliance is therefore an ongoing process and should be just one part of a company's data security and risk management strategy.
Invest sufficient resources in your data security
Ensure you have the people and technologies you need to keep data secure because you really can't afford not to.
Make data security and risk management a business priority
Your entire business is at risk if you fail to keep confidential data safe — so maintaining data security should be as much of a priority as delivering services.
Include PCI compliance as a requirement in tenders
Before you agree to work with any other company, ask for evidence that they are PCI compliant and confirmation that they are actively maintaining their compliant status. After all, if we all made ongoing PCI compliance a pre-condition for doing business then all companies of all sizes would be forced to raise their game.
If you can't manage it yourself, find an external solution
Some companies may struggle to find or fund the resources (people and technology) they need for PCI compliant payments. If this is the case, find third party systems that offer this kind of data security.