A story about my regularly abused credit card and the rise of simplicity in payment security for the travel industry.
And again, it’s a regular Thirsty Thursday in Zurich, Switzerland and I’m out with friends for an “Apero” (the elegant word Swiss people use for having after work drinks on any regular business day). So, I’m at this bar in the wonderful historic district of Zurich ordering the next round for the guys. The bar keeper hands over the payment terminal. “Grüezi — 24.50 Swiss Francs, please.” I’m whipping out my credit card, ready to get ripped off and there it is again — the nightmarish feeling of what the f*#k, what happened?
My credit card got declined… and I’m thinking to myself: Is it the terminal that is not working properly or was it just the NFC chip in my credit card that is feeling like having a bank holiday today? (Did I pay my monthly bill (check, luckily I like to automate things) or is there someone around the world buying nice things with my credit card again? I like to donate for a good cause but this is exaggerating my good will.)
A few more attempts and I finally give up — not least because of the thangry (thirsty and angry) faces starting to pile up in the line behind me. When I got off the phone with my credit card company, I was rest assured that my credit card was precautionary blocked as the early warning system detected suspicious transactions: purchases from the Apple store, some survival kit and diaper family packs — Seems to be a single parent with a soft spot for expensive phones.
This is the second time this year that my credit card got abused and I’m starting to wonder what happened this time. I know, I travel a lot but eventually there are rigorous payment security standards that companies need to comply with to keep my credit card data secure. So, how come I get pwned on a regular basis?
There are many people out there that have discussed online payments and its fraud scenarios in very detail that I leave you with a simple “google it”. I would rather focus on a particular process that is characteristic for the travel industry — the reservation process.
In my opinion this process has been overlooked for quite some time. The very nature of a reservation process in the travel industry predicts the often long chain of service providers involved.
When you reserve a flight ticket, book a hotel room or rent a car, your credit card details will often be passed through a ton of different systems of travel tech companies. This is because credit cards are stored to guarantee your reservation and used by service providers for no-shows or charges at a later point in time.
For example, when you reserve a hotel room on a booking platform such as Booking.com, the hotel uses channel manager and central reservation systems to receive your credit cards in case you don’t show on your reservation. The hotel owner is then entitled to charge you a so-called no-show fee for the lost revenue for not being able to sell the hotel room to someone else.
Since I’ve been working for the Swiss payment service provider Datatrans I’ve helped a lot of companies and platforms in different industries with online payments and to keep their customer payment details safe according to the PCI data security standards. I’ve seen dozens of companies and talked a lot with their CxOs about their payment processes and security measures.
Clearly, there are different approaches to comply with PCI DSS. While some companies make huge expensive efforts to undergo in-house PCI DSS audits to keep our credit card data safe there are others that follow more efficient strategies with the lowest possible risk for their companies.
I think we are way beyond the point of flying below radar and not complying with PCI DSS at all but sadly I know for a fact that there are still tons of companies out there that haven’t secured their processes as they should.
Let me give you a little reminder of what a compromise might mean to a company in case of a non-compliance:
Imagine an online merchant storing about 500 credit cards each month for over 2 years. Following a compromise, about 10'000 cardholder data sets have been stolen and abused. If the merchant is not PCI-compliant at the time of compromise, he will approximately face the following costs:
- Incident penalty fee EUR 50.000
- Forensic investigation EUR 50.000
- Legal expenses EUR 50.000
- Plastic exchange cost EUR 50.000 (EUR 5 / card)
- Dispute cost EUR 500.000 (EUR 50 / card)
- Fraud EUR 1.000.000 (EUR 100 / card)
Aggregated Costs EUR 1.700.000
Not worth mentioning the price your brand has to pay in case it goes viral and takes on your reputation. Even though your brand’s reputation might also get a scratch when data gets compromised in your own PCI-compliant environment but at least you don’t face a possible default due to costs of non-compliance.
I know from my own experience that PCI DSS is hard work but it’s worth it. Constantly invest and keep up with highest security measures, learn new PCI DSS updates couple times a year and surpass expectations from QSAs and clients to keep your sensitive data up and secure — that’s a lot of work and doesn’t come cheap. However, in the end it’s a solid standard that might have a few flaws (e.g. stiffness) but tries to make the online payment world a more secure place.
Nowadays there are a lot of industries that get disrupted. Startups with new approaches to old problems enter the stage. So eventually, this happened to the payment security industry as well. Tokenization as a service (so-called PCI proxies) and blockchain are the new stars in the sky. While blockchain is still in its teens with a lot of potential, especially PCI proxy solutions arrived. We have also been using tokenization as a service with our clients for some years now.
Let me give you a little background story. Initially, everything started with Swiss International Airlines. In 2009, the airline assessed their PCI scope and approached us after a few months of work in the project. They found themselves in a situation where they had to invest resources and capital in a process that doesn’t contribute to their overall goal to sell superior flight journeys. In fact, they were also losing massive flexibility because PCI is a stiff compliance catalog that doesn’t scale efficiently with forward-thinking companies.
On-premise tokenization was nothing new at that time but would still mean a loss in flexibility, keeping PCI audits in-house and face possible reputation risks in case of compromises.
Since payments and PCI DSS is our core business we thought about how we can use our existing payment infrastructure for SWISS. Ultimately, we introduced our idea of a serviced PCI compliance to them. We called it PCI Proxy because it’s a tokenization as a service solution that works like a proxy — with almost no development time for integration. What it makes stand out is that it can be easily placed between any communication channel (sockets, https, etc.) and filter incoming or outgoing data for credit card numbers and tokens — reducing your PCI scope instantly.
Over the past years we have used it mainly for our payment clients only but got approached by so many different industry leaders that we decided to open it for every company to achieve PCI compliance in a simple but reliable and secure way. We believe you should keep focus on building great products, not on PCI compliance. Maybe it’s worth checking it out.
Finally, it doesn’t matter whether businesses decide to undergo a full PCI audit or draw on to tokenization solutions to secure their customers payment data as long as they do something. Especially tokenization as a service solutions leave no more excuse for not being PCI compliant these days. I hope I could raise some awareness for this hot topic and maybe convinced the one or other to reconsider their decision on PCI and data security of their customers. In the end, it’s not only me who would thank you but also your customers and millions of their regularly abused credit cards as well.