How can we store travelers’ payment details securely?

Travel companies must store identity information like name, address, travel specific information and passport details, as well as highly regulated payment card data. This sensitive data means travel companies are a target for malicious actors that seek to breach company systems to steal such data.

There are a range of studies that show the increasing rate of data breaches. Security company Gemalto published a detailed index of every public cyber breach globally until the company was acquired in 2019. In the first half of 2018, the index recorded that more than 3.3 Billion records had been compromised, representing a 72% rise on the first half of 2017. More recent studies  suggest billions of records are now lost every month.

Some types of data are more sensitive than others. Payment card data is particularly sensitive given that a person’s 16-digit card number can be used to initiate a purchase. That’s why PCI-DSS or the Payment Card Industry Data Security Standard (PCI-DSS) was introduced to ensure companies that store or transfer payment card data meet specific data security standards.

We recently asked travelers to share their perspectives on cyber security through a survey with 4,500 travelers from five countries. The results demonstrate how seriously they view this issue.

68% of respondents to our survey confirmed that if a travel company suffered a breach, it would negatively impact their perception of the company, 32% say significantly. Such reputa-tional impact may extend beyond security, impacting perceptions of the company’s overall competence.

Respondents to our survey were lukewarm on the travel industry’s cyber security capabilities. In fact, 35% said they do not trust travel companies to keep their payment details secure, the second highest of any sector and just behind ‘general retail’ at 39%.

Of particular concern to payments departments in search of frictionless transactions is the fact that 76% of travelers “would not store their payment details with a travel company that had suffered a well-publicized data breach”. Without gaining traveler trust it will be challeng-ing for travel companies to keep payment details on file in a way that supports smooth pay-ments.

In a world where travel companies need to store sensitive data, cyber-attacks are increasing, travelers are concerned and regulation is stringent, how can the industry handle payment details securely? Tokenization is emerging as a key capability that can help travel companies reduce risk and ensure compliance.

Rather than storing the traveler’s 16-digit card number, a merchant can choose to replace it with a token. Card data is typically tokenized by replacing card data with a string of characters e.g. DH29X3ND.

Importantly, tokenization is not the same as encryption. When data is encrypted, there is always the ability to decrypt the data back to its original form, typically using a private key. This isn’t possible with a token, instead the original 16-digit card number is held securely within the tokenization provider’s vault. Importantly, this means the traveler’s card data isn’t stored on the travel company’s systems helping to reduce risk.

At Outpayce we provide a highly trusted tokenization service, se-curely storing traveler payment details on behalf of airlines and travel businesses.

There are four key reasons that increasing numbers of travel companies are choosing to to-kenize payment card data.

Security– if a token is stolen during a breach, it’s useless to the attacker and they cannot turn the token back into the traveler’s card number or use it for another purchase.

Outpayce Tokenization is a security solution that offers merchants the ability to convert sen-sitive payment card data into non-sensitive tokens across the entire traveler journey, no mat-ter when the traveler provides their card. This process significantly reduces security threats and minimizes the risk of payment information leakage.

With secure online and offline walls, Outpayce customers benefit from the ability to tokenize and detokenize simply and securely in all environments.

Reduced Operational cost– with the right solution in place, travel companies can save on development costs. With tokenization from Outpayce, an in-house solution, customers are not dependent on issuers or acquirers for this important security capability, with the flexibility to customize the solution as needed.

Compliance– one of the simplest ways to reduce the PCI-DSS compliance burden is to tokenize payment card data. Part of the compliance burden from the travel company will be transferred to Outpayce, simplifying data management complexity and substantially reducing PCI-DSS compliance costs, resources and time.

Reduced friction – Tokenization reduces the need for travelers to repeatedly enter their card details for subsequent transactions. This convenience encourages more frequent and friction-less payments. With 54% of travelers believing re-entering payment details is frustrating, re-moving friction is key to commercial success.

Tokenization alone won’t provide a holistic cyber security solution, but it is an extremely ef-fective and proven tool that reduces risk and helps travel companies meet their obligation to secure sensitive traveler information. With 72% of respondents to our survey confirming that a travel company’s strong reputation for ‘secure commerce’ would“encourage them to choose that firm over another provider with a less favorable reputation”,secure travel com-merce is also becoming a differentiator.

To learn more about how tokenization can help travel companies secure sensitive data and reduce the risk of data breaches, I encourage you toread our latest report .