+254 709 947 947 [email protected]

DPO White Papers

The Complete Guide for Online Payment Security and PCI DSS Compliance


Depending on when you define the beginning of online bookings, it has been at least 2 decades since this earth-shattering service was introduced. Microsoft founded Expedia in 1996, with American Airlines subsidiary, Sabre, establishing Travelocity, in the same year. The rest, as they say, is history.

Steadily rising since its inception, online bookings is set to overtake offline bookings by 2025, globally. In Europe, online bookings will surpass offline by the end of 2017, according to Phocuswright, reaching 52% market share. Total online travel revenues are projected to surpass $1 trillion in 2022, creating a huge market opportunity for companies in this industry, around the world.

Customer Experience is Key to Garnering Market Share

As with any business, travel companies must strive to perfect the customer experience. From an easy to navigate website, with price comparison functionality and updated reviews, to hassle free booking, travel companies must ensure an exceptional user experience on their online booking sites.

In its 2016 report, loyalty expert Colloquy found that 25% of users opt to leave online booking sites that are ineffective. With travelers searching an average of 48 times on 8 different sites before booking, it is critical to offer a high end site and an outstanding customer experience.

Shopping cart abandonment in the travel industry is high, at close to 82%, compared to 75.6% in all sectors. Baymard Institute 7 year study found that checkout usability has a significant impact on click through rates. According to Baymard, the average, large sized site can gain a 35.26% increase in conversions through improved checkout processes.

A customer-centric payment process should include the following key functionalities:

Flexible payment options – Online booking sites should accept various payment methods, from traditional credit cards to mobile payment options, supporting the 70% of digital travelers projected to reserve hotels via a mobile device in 2019, in the US.
Cross border payments – International travel is set to increase 35% in the coming decade. Online booking sites that offer cross border payments, and accept these payments in their customer’s local currencies, provide their customers with a hassle-free payment process. This leads to quicker decision making and expedited checkouts.
Secure payments – In order to take advantage of the projected growth in online bookings, travel companies must ensure their customer’s data is safe on their sites.

Online Payment Security Challenges

Affecting both consumers and merchants, online and mobile fraud is a continued concern, valued at $10.7 billion in 2015, according to Juniper Research, and projected to reach $25.6 billion by the end of the decade. The leading sector to suffer from mobile and online fraud will be eRetail, accounting for 65% of all fraud, while airline ticketing is poised to suffer $1.5 billion in fraud related losses in 2020.

The following presents some of the common fraud tactics which online merchants must be aware of in order to effectively protect their customers and themselves:

Identity theft – considered one of the leading forms of fraud afflicting both customers, and businesses alike. Identity theft involves intercepting sensitive data, which is not properly protected, by fraudsters who go on to use payment details to make unauthorized card-not-present purchases.
Fake travel agent – online fraudsters have been known to sell fake deals, such as travel packages, from legitimate tourism companies. They create high level, fake websites and try to sell these travel packages, which generally include a significant discount via these sites. They use online advertising such as Google Adwords to reach unsuspecting travelers. They then obtain the consumer’s credit card information for their own online fraud purposes, harming the customer as well as the reputation of the travel company.
Man in the middle attacks – In this case the fraudster positions himself between a user and an application, eavesdropping on the transaction, or impersonating one of the sides, gaining access to secure information such as login data and credit card information.
Loyalty fraud – This includes misuse of loyalty programs and hacking into members’ accounts for theft and transfer of points or miles. The merchant suffers the loss of stolen points and miles, reimbursement costs and recovery costs and decreased passenger trust and confidence.
Friendly fraud – These are legitimate orders, which are then disputed by the consumer, requiring merchants to refund payments (chargebacks). This form of fraud is often unintentional, with the consumer forgetting they placed the order, or a child using a parent’s card without his knowledge, however there are cases where this is intentional fraud. The merchant suffers the cost of the products that are not paid for, chargeback fees, and must also repay the consumer.

Keeping customer data safe from security breaches is critical to protecting them from identity theft. Websites that cannot provide this level of security will lose their customer’s trust and be susceptible to financial liability. Integrating encryption and authentication technologies, as well as upholding PCI DSS standards, is therefore critical to the security strategy of any online travel business.

Chargebacks are a Major Concern for Online Merchants

A chargeback is when a credit card company withdraws money from a merchant’s account in response to a customer dispute. The money is then transferred to the customer. According to Digital Transactions, there were 14.7 million chargebacks in the US in 2016, costing merchants $5.8 billion, up 21% from 2015. Chargeback fraud represented 42% of all fraud in the US in 2016, according to Lexis Nexis.

Chargebacks are often legitimate, such as in response to disputes when the goods are not received, or in the case of identity fraud, in card-not-present transactions. Chargebacks may also occur as a result of friendly fraud, as discussed above. Alternatively, the customer may not recognize the name of the merchant (the descriptor on the credit card statement). In these cases, a dispute is opened, and the merchant is charged the total transaction amount, which is refunded to the customer.

The process related to a customer dispute, and chargeback is quite long, with the issuer bank checking the authenticity of the dispute. If deemed valid, the merchant is not only charged the transaction amount, but is penalized with a chargeback fee. The merchant further suffers damage to his reputation, as customers may publicize the shortcomings in reviews, which could reduce future transactions for other customers.

In order to decrease chargebacks, merchants should make sure their credit card descriptor is identical to their name on their website, or at least recognizable. Merchants should strive to receive confirmation from the user regarding the order placed, and of course upon order delivery. Implementing risk management processes to identify fraudulent customers via blacklists can significantly assist in mitigating the occurrence and costs of chargebacks.

The Payment Card Industry Data Security Standard (PCI DSS) Overview

The Payment Card Industry Data Security Standard, or PCI DSS, is a set of security standards that was created in 2004 by the major credit card companies, namely, Visa, MasterCard, Discover Financial Service, JCB International and American Express. These standards include the adoption of best practices, and security methods in order to safeguard sensitive information of payment cards.

PCI DSS has 12 specific security requirements, which fall into 6 different categories, as follows:

These standards cover technical and operational system components included in or connected to cardholder data.

Goals PCI DSS Requirements
Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors

Source: PCI Security Standard Council

Split into different levels of compliance by volume of transactions processed annually, PCI DSS is required for any business that processes payments via debit or credit card. Businesses accepting credit card payments must implement the required security measures and submit periodic forms on compliance, approved by a Qualified Security Assessor, in the case of the highest PCI DSS level. They must also perform quarterly network scans by an Approved Scan Vendor.

The following presents the 4 different PCI DSS levels that are generally accepted. Vendors should reach out to the payment card companies they work with, as definitions differ between the companies.

Level Description
PCI DSS Level 1 Over 6 million transactions annually
PCI DSS Level 2 1 – 6 million transactions annually
PCI DSS Level 3 20 K – 1 million transactions annually
PCI DSS Level 4 Under 20 K transactions annually

If a security breach is identified, the credit card companies might choose to require stricter adherence by moving said company to a higher level of PCI DSS. There are additional ramifications to non-compliance, beginning with susceptibility to fraud, which affect the vendor’s reputation, and could lead to liability charges, as mentioned above. Rebuilding trust and reputation come at a cost as well.

Furthermore, if a company is found in violation of the standards, the credit card companies may choose to impose a fine on the vendor, which could range anywhere from $5,000 – $100,000 per month. If a security breach is discovered, companies are required to work with a forensic investigator – significant expense, as well. Finally, and of utmost importance, vendors run the risk of losing their merchant status, rendering them unable to accept credit or debit card payments, and incapable of offering online booking.

How to achieve PCI DSS Certification

PCI DSS certification requires ongoing monitoring and reporting. After establishing which level the booking site is considered, by each credit company, and the required frequency of monitoring and reporting, travel companies can choose to reach out to their acquiring bank’s preferred Quality Security Assessment (QSA) who can assist in achieving compliance.

Compliance, according to the International Air Transport Association (IATA), is a continuous 3 step process:

  • Assess
      1. Identification of cardholder information
      2. Taking an inventory of IT assets and business processes for payment card processing.
      3. Analysis of vulnerabilities
  • Remediate
      1. Fixing the vulnerabilities
      2. Eliminating the storage of cardholder data unless absolutely necessary
  • Report
    1. Compiling and submitting required reports to the appropriate acquiring bank and card brands

PCI DSS Level 1 companies are required to submit an annual Report on Compliance (ROC) by a QSA or internal auditor, signed by a company officer, while all other levels can submit self-assessment questionnaires regarding compliance. Additionally, all companies must undergo quarterly network scans by an Approved Scan Vendor (ASV).

Due to the complex nature of compliance and reporting, managing PCI DSS adherence is difficult and time consuming. Ongoing monitoring of transactions, as required by this standard, places a strain on operations, making a company even more susceptible to fraud.

While self-compliance is quite a burden, as described above, companies can achieve PCI DSS coverage by utilizing a certified Payment Service Provider (PSP). PSPs enable vendors to integrate online payment technologies on their own websites, seamlessly. Certified PSPs offer Level 1 PCI DSS compliance, updated as required to meet PCI standards. Additionally, leading PSPs incorporate ongoing blacklist, historical trend, and anti-fraud monitoring, as well as utilize advanced algorithms, geolocation and IP tracking to detect security breaches and fraudulent transactions.

PSP’s Offer Numerous Benefits to Travel Companies

In addition to ensuring PCI DSS compliance, PSPs offer numerous benefits to online travel companies, making them an ideal partner for payment acceptance:

  • Hosted payment page – PSPs have the ability to offer their payment systems via a hosted payment page, which can be branded to match the vendor website.
  • Safe and secure payment method – PSPs provide a secure framework not only for accepting payments by customers (B2C), they may also support safe transfer of funds to suppliers (B2B).
  • Mode of payment flexibility – PSPs generally offer a wide range of payment methods. As travel companies and hotels cater to international customers, it is important to offer customers different payment options, allowing them to choose the method with which they are most comfortable. PSPs accept a variety of credit and debit cards, support mobile payments and mobile money, and integrate secure QR code payments as well. PSPs may also enable the vendor to integrate a Mobile Point of Sale application, turning mobile phones into payment registers, further increasing the vendor’s flexibility in accepting payments.
  • Cross border payments – PSPs typically support multiple currencies, enabling booking sites to accept cross-border payments, in the preferred currency of their customer base.
  • Handle chargebacks and risk management – With their focus on security, PSPs perform ongoing risk management assessment, providing their clients with a highly secure platform for accepting payment. PSPs also handle chargebacks, remitting funds when justifiably required.

Key Takeaways

  1. Online travel bookings will dominate the market by 2025.
  2. Customers expect a simple and secure checkout process. Failure to provide this experience could result in abandoned bookings.
  3. All online vendors must be PCI DSS compliant in order to accept credit card payments on their sites. Non-compliance can have serious financial and operational implications.
  4. By working with a PSP, travel companies gain PCI DSS compliance, at the highest level, without the entailed assessment and reporting processes which are difficult and resource consuming.
  5. PSPs offer additional advantages to travel companies in the form of:
    1. Flexible payment modes
    2. Cross border payment acceptance
    3. Support for international currencies
    4. Chargeback handling
    5. Increased security
    6. A hosted payment page

Want to start accepting secure online payments? Contact us at DPO for a free demo and consultation!

DPO provides a real-time, cloud-based processing platform, with state-of-the-art technology that supports multiple transaction types with online and offline capabilities. The technology supports all modes of payments, all cards, mobile money, all currencies, mobile apps & card readers. The DPO customer care team provides a single point of contact for you and your end customers. We support all levels of transactions by implementing a unique approach to ensure total conversion.