It’s been a tough time for the travel industry of late. Since April there’s been two high profile data breaches announced from Delta Airlines, and most recently, British Airways. So, how can the industry respond to minimise the risk of a breach? To answer this, let’s look at what we know from these data breaches in more detail.
In April, news broke about the Delta Airlines data breach through its online chat services. This included customer payment information. On Friday, British Airways announced a data breach of its app and web services which included credit card details. What this shows is that it’s not just the storage of sensitive information that is subject to cyber-attacks, it’s also the payment process. PCI DSS requires cardholder data to be encrypted when in transmission, along with maintaining firewalls and up-to-date antivirus software. This does go a long way in preventing a breach, however its apparent that this is no longer enough. But it’s not just the risk of a breach that needs to be considered. The General Data Protection Regulation (GDPR) has been in effect for almost five months. As mentioned by Tony Smith, PCI DSS and the GDPR sit on the same branch, so a breach of PCI compliance is a breach of the GDPR. The repercussions of this can be fines of up to 4% of global turnover, not to mention the damage to reputation and therefore revenue and to the value of the company. Not only this, IATA now requires accredited Travel agencies to be PCI compliant. In the face of tightening regulations, it seems that one answer is rather than focusing on keeping the hackers out, ensure there is no data for them to take in the first place. Taking the contact centre as an example, which is a hotbed of data and a prime target for hackers, solutions such as Agent Assist work by ensuring no sensitive credit card data enters the environment. Of course, this won’t prevent all breaches. But given that 76% of attacks are financially motivated it begs the question; can the travel industry afford not to de-scope?