How Air France reduced PCI DSS compliance requirements by 75% with patented tokenization solution by Outpayce from Amadeus

At Air France we take PCI DSS (Payment Card Industry Data Security Standard) regulations and the security of our customers’ payment details extremely seriously. Keeping our customers’ payments details secure helps to protect our reputation and limit regulatory risk. My role is to ensure all Air France processes are PCI DSS compliant across the airline.

Our compliance journey took a new direction back in 2013 when we decided to invest in an innovative approach to payments security for our customers. The first step was taking an inventory of all the different processes where we handled customer payment details. We identified more than 160 separate processes across our sales and back-office operations.

An airline the size of Air France is a hugely complex operation and customer payment cards aren’t only collected during booking. The card information must also be conveyed to acquirers across the world, and it’s used for reconciliation of payments to bookings in the back-office, when we process refunds and when we respond to chargebacks. In short, airlines need customer payment details for multiple operations beyond sales and every process must be PCI DSS compliant to protect our customers and reduce risk for the airline.

After mapping our PCI DSS relevant processes, we set to work ensuring they were compliant. Central to this effort was partnering with Amadeus and using its tokenization solution, delivered by its fully owned subsidiary Outpayce.

This tokenization solution replaces our customers’ card details with secure tokens across our systems – an essential capability that supports efficient operations while significantly reducing our risk exposure. At Air France every single customer card is now tokenized.

Thanks to tokenization we no longer hold customer card details on our own systems. Instead, tokens flow through our systems into Outpayce’s secure vaults, which allows us to reduce our own system maintenance costs and to conduct our operations with significantly reduced risk. Should we experience a data breach, we are assured that no PCI DSS relevant data will be lost and instead, the bad actor will receive meaningless tokens that cannot be used for fraud.

Perhaps the most important benefit of tokenization is risk reduction. Risk reduction for our customers that are protected from fraud and risk reduction for Air France, protecting us from the potential impact of a data breach.

For us at Air France PCI Office, tokenization also greatly reduces workload. In fact, by removing payment details from our systems, tokenization drastically reduces the number of PCI DSS requirements we need to meet from more than 350 on-going requirements, to around 60. That’s hugely powerful and of course significantly lowers our cost of compliance – making it far more straightforward to undertake our annual PCI DSS certification process.

Often with security measures there’s a trade-off between convenience and security levels. With tokens, this is not so much the case. Tokenization and de-tokenization are automated within the payment flow, meaning that our acquiring partners receive the original card details, saving the need to onboard external payment providers to our tokenization flow.

We still ‘own’ the payment and can take the required actions involving customer payment details. For example, we can use tokens to process refunds, and we can still analyze and understand how our customers pay us. The token format facilitates the decoding of card characteristics which can be used for orchestration capabilities, and the analysis of customer purchase patterns.

Amadeus, a long-standing Air France partner, provides our Passenger Service System (PSS) and distribution services, and now supports our retailing transformation. As part of this partnership, Amadeus leverages Outpayce’s tokenization technology to enhance payment security within its solutions. The call center is a good example. Here we allow customers to enter their card details securely using a link sent by email or SMS, rather than asking the customer to read their card details out loud.

Importantly, this technology can quickly tokenize and de-tokenize as needed, helping us to complete a range of processes securely. For example, we can convey capture files containing many different tokens to our payment processing partners like acquirers across the world. If we want to on-board a new partner, Outpayce will build a connection that brings them into our tokenization flow.

The airline industry is a target for fraud and cyber-attack. As our defenses have improved with measures like tokenization, so the bad actors continue to innovate. Today, one of the most challenging attacks are ‘man-in-the-middle’ scams that encourage a passenger to visit a fake website and unwittingly enter their card details with elaborate means of deception often involving messages or emails. Our cyber security team works collaboratively with the authorities to limit the risk of such attacks which combines nicely with our PCI Office efforts to protect Air France- customer’s payments details.

In summary, tokenization has helped us to significantly reduce risks associated with data breaches and lowered our PCI DSS compliance burden by around 75%. The solution performs extremely well and is natively integrated into our specific commercial and payment flows across digital, call centers, distribution, and at the airport. In today’s uncertain world, every airline should consider tokenization.