Cybersecurity Insights | Blog | Foregenix

Why PCI compliance is important as a Travel Agent.

Written by Kieran Murphy | 2/28/18 10:05 AM

As you may be aware, the regulatory body governing the world’s airlines (International Air Transport Association, IATA) announced some time ago that travel agents across all mediums need to be PCI DSS (Payment Card Industry Data Security Standards) compliant by June 2017. Fortunately, they have pushed the deadline forward to March 2018, giving businesses the much-needed leeway to obtain compliance.

This includes Retail Travel Agents, Business Travel Agents, Online Travel Agents and Telephone Travel Agents. Every business, no matter how big or small, has to be PCI compliant if they’re handling payment card transactions. Essentially, PCI compliance boils down to taking adequate security measures to protect your customers payment card information. It’s no longer ‘if’ you will be hacked, but ‘when’.

It’s not uncommon for people to think that hackers only target financial institutions, but the truth is every business that handles data is a potential target. This includes the travel sector. A number of travel agents worldwide have been stung by data breaches, the Association of British Travel Agents, Omni Hotels & Resorts, JTB Corp and Essential Travel to name a few. A quick Google search will reveal how prevalent the threat is to travel companies.

Using Essential Travel as an example, a weakness in their website led to 1.6 million credit card details being stolen. 430,599 of these stolen credentials were thought to have been active, with 733,397 identified as expired. As a result of the exposed data, they were fined £150,000 ($255,000).   

According to a study carried out by SPA Future thinking on behalf of the Information Commissioners Office, the fines have had a positive impact on the way organisations handle compliance. The report states that:

  • Organisations took their data protection obligations seriously, with revised practices and increased staff training.
  • Data protection was given a higher profile, with greater senior management buy-in.
  • Staff awareness was raised through targeted campaigns, with the importance of handling data properly made more prominent.

Whilst the fines have overall led to good changes within businesses, these could have been achieved without taking such a heavy financial hit. This is especially true with small businesses, the US’ National Cyber Security Alliance found that 60% of small businesses are unable to sustain their business within six months of a cyber-attack.

Mary Pat Sullivan, analyst for PhocusWright has previously been quoted as saying “The greatest vulnerability for travel agents are those with gross annual sales of $1-10 million.” This is because “agencies with $1-10 million in sales generally have less money to spend on sophisticated, software-based technology tools. Their detection and review are almost entirely manual.”

Unfortunately, there isn’t one ‘thing’ you can do to obtain compliance; some investment of both time and resources is required to achieve and maintain compliance. It doesn’t stop there either, hackers are constantly looking for chinks in your armour and your security team should reflect that.  Rather than focussing on compliance itself, you need to focus on keeping customer data sufficiently protected, with the bonus of PCI compliance. 

Below are four quick tips to get you on the road to being a PCI compliant travel agency:

Only store card data that’s necessary: According to a report from SecurityMetrics, 61% of merchants store unencrypted card data. If an attacker gains access to your system, they will find unencrypted card data. They know where to look and how to find it. The more unsecure data you store, the more people you have to pay after a data breach.

Keep your systems updated: Web applications, security software and operating systems bring out new versions and patches on a regular basis. These often include fixes for discovered holes in the software such as bugs and security issues. With each new update, often there will be notes detailing what exactly they have changed and why. Whilst this is great for people who want to know what’s new, it also gives hackers the information they need to exploit older versions of the software.

Change your passwords regularly: It’s not uncommon for passwords to be guessed. Hacking tools are available that can and will crack simple passwords. Once cracked, websites are completely vulnerable to whatever the attacker has in mind. It only takes seconds to create a complex password and it can save your business tens of thousands of pounds.

Keep your data backed up: Backups should be automated, systemised and kept offsite. Having an up to date backup could mean the difference between your website being taken down for days, or being back up and running quickly. Reverting to a clean backup is far easier and quicker than going through an entire websites code to find the offender.  

Of course however, these measures won’t protect you completely. If you would like to discuss PCI compliance and the services we offer to get you there, please follow the below link for our tailored travel agent PCI services.