Alex Bainbridge's Musings on travel ecommerce blog
Musings on travel ecommerce blog
Blog home  Blog home
« Don’t let your PR team give your competitors your plans

Google, YouTube ‘Click-to-buy’ and travel »

Two more credit card processes the travel industry shouldn’t be doing [PCI]

Friday, October 10th, 2008

PCI is a set of standards that define how you are permitted to hold and transmit credit card data. If anyone tells you their system is secure just because they have an SSL certificate they demonstrate that they don’t really understand how security works.

PCI is much more than just an SSL certificate. Compliance is mandatory for any company handling credit card details (unless you decide not to handle credit card data - e.g. by using a 3rd party payment gateway)

Here are two more processes that travel companies do that will require the agent to be PCI audited:

  • Agent takes credit card details from customer over the phone and, while customer is on the phone, places the card details into a supplier website
  • Agent takes credit card details from customer and instead of charging the card they give the credit card details to a supplier (for charging directly at a later time)

The first process has become “common” (or acknowledged to take place, at the least) by agents who have been banned from selling Ryanair flights. Instead of using the agency credit card the customer’s details are placed on the Ryanair website - making it difficult for Ryanair to see that the booking is an indirect booking. However, this process would require the agent to be PCI compliant (which they are unlikely to be, for this situation)….. 

The second process is common in the hotel industry. The card details are often transmitted to the hotel for charging. This would require the agent and the hotel to be PCI compliant. e.g. you can’t just “email” the card details to the hotel. Faxing is also problematic.

The onus on the 3rd party
If you are a travel company that uses agents to send credit card data to you (on your behalf) then it is down to you to ensure your agents are PCI compliant. 

Again, something for our “non technical” industry representation bodies to get to grips with. However I am not sure they really understand that much of the industry is now structured around trading outside of the PCI standards….. and therefore what to do about it - hence nothing really happens. It will just have to take a “big breach event” to bring this to everyone’s attention.


If you want to be notified next time something is published sign up for email alerts or subscribe to the RSS feed. Thank you for reading!


« Don’t let your PR team give your competitors your plans

Google, YouTube ‘Click-to-buy’ and travel »



More posts (maybe related, maybe not)

Leave a Reply


Comments for this post will be closed on 7 February 2009.

This blog is about travel ecommerce with a focus on topics of interest to tour operators & travel companies

Alex has previously started up a small tour operator (5 staff) and also worked for leading "dot coms", airlines, hotel chains and tour operators advising and project managing web, ecommerce and reservation system projects.

Alex is available for travel ecommerce consulting via Travel UCD. Travel UCD also operates TourCMS - a web based reservation system for small tour operators


RSS Feed

Subscribe via daily email



AddThis Feed Button

Homepage
About this blog
Best of the blog (top 10 posts!)

Recent comments
Tamara: It’s a lot of money! But I guess it’s probably good value for the column inches it generates - of course as long as you get to the top five! To guarantee that it looks like you have to have...

Alex Bainbridge: Hi Tamara …. as for PhoCusWright….. I am sure that at the point the judges judged they were impartial - however it was a fairly self selecting group who put themselves forward to be judged...

Darren Cronian: Alex, I am worried that we are becoming on the same wave length. http://www.traveldotnet.co.uk/ articles/lets-not-forget-offli ne-travel-innovation/ No, I have just read this post now, I didn’t...

Pete Meyers: Alex - I’m really looking forward to hearing the pirate story, well done!

Ben Colclough: I must say I had more fun acting out a chicken in a restaurant in Yunnan, China than I would have had with the flip book. Seriously though - it is a good idea & innovative. Not sure I would want to...

Alex Bainbridge: Hi Pete The times I would have found this useful (PocketComms) I really wouldn’t have wanted to put an iphone into someone elses hands! For example negotiating with a people smuggling ship in...

Pete Meyers: I think the best innovation is a combination of great ideas and succinct execution. To your example about the PocketComms, it was a good idea that fermented for a number of years, yet who’s to say...

Tamara: This is an interesting debate. I wonder what the PhocusWright judges views are. They seemed to be very clear however that they wanted to reward companies who had actually created something - rather than simply...

Ben Colclough: P&G, generally regarded as a very innovative large consumer branded company has an approach to innovation that throws some light on this. They embrace failure as a necessary part of innovation. This...

Categories
Top commentators
Kevin May
Darren Cronian
Jeremy Head
John
Ben Colclough
Alex Bainbridge
graham steele
Ian McKee
Big Travel Web
Tamara
Guillaume
Ignacio
Neil MacLean
Dominic
John Pyle

Other travel & tourism blogs
Travolution
The Boot
Hotel Blogs
Travel Rants
TraveBlather
Travel PR Blog
Dot Tourism
Albert Barra [Spanish]

Wiwih blogs - a directory of travel industry blogs

Small Fish Big Ocean

Come and join my travel business social network! for small tour operators and niche agents


TourCMS

Contact Alex
Privacy policy
 Copyright © Travel UCD Limited / Alex Bainbridge 2007-2008. All rights reserved
TourCMS® is a registered trademark of Travel UCD Limited, United Kingdom