Airlines take note – 999 days until new payment security standard deadline

Celia Pereiro

Head of Payments, Amadeus IT Group

This content is only available in this language.

Visa Europe has issued a deadline to acquiring banks using its network that all airline merchants should be fully compliant with the Payment Card Industry Data Security Standard by 31 December 2017, some 999 days from today.

closeup on credit card

Cyber threats have been growing exponentially and 2015 is shaping up to be a make or break year. 2014 was the worst year in history for data breaches with 1.1 billion personal and sensitive records compromised across 3,014 incidents, a 22.3% increase compared to 2013. Some 97.6% of the records lost were a result of hacking and fraudulent activity.

Not all of these data breaches were credit card numbers or financial data – many were account user names and passwords. However, thieves often steal this information from a less secure website knowing that people often use the same passwords for many different websites. Nevertheless, there were still some big financial security breaches in 2014. In January, thieves stole over 100 million credit card credentialsexposed in South Korea.

To combat the growth of data security breaches, the Payment Card Industry put in place the Payment Card Industry Data Security Standardin December 2004. The PCI-DSS defines 12 high-level requirements for compliance, organized into six ‘control objectives’:

  1. Build and Maintain a Secure Network

  2. Protect Cardholder Data

  3. Maintain a Vulnerability Management Program

  4. Implement Strong Access Control Measures

  5. Regularly Monitor and Test Networks

  6. Maintain an Information Security Policy.

The control objectives are not only requirements for PCI-DSS compliance, they are generally good practice for any business which handles sensitive credit card data. However, achieving and maintaining compliance with the PCI-DSS standard is surprisingly difficult to achieve. One key issue is defining, and limiting, the scope of which applications must be compliant. As enterprise systems become ever more complex and interconnected, applications which may, on the face of it, have nothing to do with credit card data, can offer weaknesses which criminals can exploit. For Amadeus, however, managing complex and interconnected systems and handling payment data is our bread and butter – we understand this environment intuitively.

It is this complexity which lies behind a recent finding by Verizon, which assesses companies for compliance against the standard, thatonly 20% of companies tested are fully PCI-DSS compliantten years after the standard was first introduced. This low number of compliant companies reiterates the challenges of compliance, which include updates to the standards, rapid innovations in payments and technology, and the complexity of inter-connected systems.

So, while Visa Europe’s deadline sounds like a long way away, 999 days can go by very quickly. Travel companies – especially airlines, whose systems are perhaps the most complex of all, but also travel agencies, rail operators and hotels – should act now to limit their exposure and ensure, not only that they can meet the Visa Europe deadline, but that they can take care of their customers’ credit card data in the face of ever increasing cyber threats.

For more information on the new compliance standard – have a look at this overview of PCI DSS 3.0.