Sweet dreams, BizAv: Why being PCI compliant will help you sleep at night
Business aviation brokers and operators are in a tricky position when it comes to payments. They want to make it easy for repeat customers to pay for their flights. This often means that they'll request and hold their customer's credit card information - indefinitely, even.
This common practice is laden with risks. The worst of scenarios end in the customer's credit information being stolen, used to make fraudulent purchases and even leveraged to steal their identity. These risks circle directly back to the Merchant: they can be held responsible for the ramifications of a criminal accessing their customer's data. A hair-raising prospect!
Fortunately for all, there are a set of security practices that bring the risk of fraud down significantly. It's called the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS: friend, not foe
The Payment Card Industry Data Security Standards (PCI DSS) is a global standard for processing card payments safely and reducing the risk of fraud.
All "merchants" that is, businesses, financial institutions (e.g. debit and credit-card providers), point-of-sale suppliers, and suppliers of payment software and hardware, are required to comply with the standard. Compliance entails following a 12-step security checklist - essentially a guide to protecting your customer's confidential payment card information against theft and cyber-crime. These steps include measures for IT security technology and other information security policies and best practices.
The standard is managed and periodically updated by the Payment Card Industry (PCI) Security Standards Council − created in 2006 by the five main payment card brands: American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.
When risk comes to shove
Failure to comply can have serious and long-term negative consequences.
Businesses that fail to uphold the security standard can be fined, may have their reputation damaged and lose customers, as well as pay more in compliance costs, such as the cost of investigating security breaches and fixing lax security. Of the $858 million in payment card fraud that happens in the aviation industry each year, $639 million is borne by airlines.
Cybercriminals are always chasing cardholder information. When they retrieve the Primary Account Number (most commonly known as card number) or other sensitive data, they can impersonate the cardholder, use their card and steal the identity of the person.
This type of cybercrime could have major repercussions for customers of aviation companies and their customers, the International Air Transport Association (IATA), has warned. "Being PCI DSS compliant is in each agents' best interest, not only because it secures the customers' sensitive information or a particular financial situation, it also leads to a safer organization network - which is in many cases liable to poor system maintenance - giving cybercriminals the freedom to enter the system."
The landscape of payment risks
In business aviation, one of the most common types of fraud is criminals paying for flights using stolen or fake credit card details. Securing a card payment can be trickier that you think because different businesses/individuals are involved in transaction, each of which use different technology:
- Card reading terminals and filing systems
- Point Of Sale terminals and their card readers (magnetic stripe or chip).
- An agent's/merchant's branch networks and wireless access routers. Data storage and transmission
- Paper-based records
- Online payment applications and shopping carts
PCI DSS guides your business through the security measures needed to protect your business at each of these vulnerable points of entry.
The benefits of compliance
Like most regulations, though, complying with the PCI DSS payment standard isn't just about avoiding bad things. It can help you run your business in a way that provides confidence and peace of mind for both your employees and your customers. It's also good for your brand's reputation because it shows your commitment to IT security.
There can be financial benefits, too. Continually reviewing your payment procedures and technology can help reduce costs and improve efficiency.
Finally, it may also help your business comply with Europe's new data protection standard − the General Data Protection Regulation (GDPR), which will start in May. The GDPR has tougher rules for protecting personal data.
Get going with PCI DSS
Here at PayNode, we are intimately familiar with the PCI standard. After all, we're a technology company built to provide business aviation with the most secure and convenient means of making high-value transactions. IT security practices, particularly those concerning cardholder data, are embedded in our DNA.
We thought it would be helpful to pay this knowledge forward, in a way that's simple to understand. Drawing from the standard itself, we have a assembled PayNode's Guide to PCI Compliance, which provides an overview of each of the 12 steps. You can download the guide below. Happy reading!
By Magnus Henriksson, Managing Director at PayNode