Ai Editorial: Relying on cloud for omnichannel payment processing

First Published on 14th October, 2016

Ai Editorial:  The cloud security set up needs to be payment processor agnostic, tokenize and secure all data types plus manage data in an omnichannel environment, writes Ai’s Ritesh Gupta


Optimizing payments-related infrastructure requires one to excel on many fronts.

Be it for data privacy and data security challenges, the simplicity and speed at which an airline process their business payments and transactions, accepting varied form of payment methods or ensuring the entire set up doesn’t hamper the travel shopping experience by keeping everything under design control, a lot needs to be done. Every facet has its significance, and airlines can’t afford to slip on any account.

Cloud-based set up for processing of payments

Airlines, just like any organization in the arena of digital commerce, need to keep place with telling changes in the enterprise IT environment.

Talking of payments, cloud computing is an attractive proposition, and this is owing to several benefits – curtailing expenditure, cost cutting etc.

But is cloud secure for payment processing?

This is a vital conundrum to solve as no airline or any travel organization would imagine being a victim of any sort of fraud or even a data breach.  No matter how strong the infrastructure is for processing of payments, airlines and other travel merchants can always be jittery when it comes to trusting a 3rd party vendor with key details such as traveller’s credit card information, with the perception that data must be stored in-house in order to handle chargebacks etc. When one talks of drifting away from on-premise software solution for processing, there would always be some level of reluctance. There is a need to evaluate potential risks in a shared environment.  As observed over a period of time, cloud data-centre security is being labelled as more vigorous than that of on-premise legacy servers. As a result, cloud-based software is gaining prominence.

WEX Travel, a provider of virtual payment solutions to the travel industry, in one of its recent blog postings, did refer to apprehensions about cloud specialists’ ability to “keep data secure” as a major roadblock that hinders shifting of processing to the cloud. As WEX also acknowledges, cloud providers “devote more resources to security”, but still there is need to verify the plans for storing data at the cloud.  

It needs to be highlighted that the utility of cloud computing is on the rise. Payment specialists are looking at delivering seamless omnichannel payment processing within a single payment solution. This week Adyen announced that for the first time, merchants “can enable credit card payments, manage complex alternative payments, offer fraud solutions and conduct EMV card-present solutions globally over a single interface delivered entirely in the cloud”. Adyen says with this move, one can avoid costly systems integration, data reconciliation is in real-time, and the offering is payment method agnostic.



Cloud-based payment tokenization

Cloud-based payment tokenization lays a strong foundation and ensures that an organization’s sensitive data doesn’t get stolen from their business systems.

Tokens can feature in transactions involving debit and credit cards, loyalty cards; cloud-based payments; e-commerce and m-commerce payments - card-on-file data.

By tokenizing sensitive data, you remove it from your environment, reducing scope and compliance.

Also, airlines can’t afford to work with specialists that only tokenize payment data, and leave other sensitive data streams.

Importantly, tokens (essentially results from a procedure in which a sensitive data field, Primary Account Number or PAN from a credit or debit card, is swapped with a proxy value named as token) can pave way for accomplishing compliance with requirements that specify how sensitive data needs to be handled and secured by companies in order to adhere to guidelines such PCI DSS.

The proxy value or tokens cannot be upturned to their primary values without retrieving the original set up that relates with their original values. Such key information is kept in a secure location inside a company’s firewall. Only cloud tokenization erases toxic data out of PCI, PHI, and PII scope. (In comparison, when we talk of encryption, the surrogate can be reversed to the original value via the use of a “key”).

Travel companies need to assess the efficacy of the chosen cloud security offering, especially in terms of taking care of most of the scope of PCI Compliance by eradicating payment details from enterprise systems and substituting it with surrogate value or token; capturing payment data prior to its entry into systems and storing the PANs in data vaults, returning tokens to systems; replacing tokens from systems and transmitting PANs to payment processors and service partners; batch processing PAN files into tokens and securely vaulting the PANs.

Speed is of essence, too.

In today’s fast paced shopping environment, microsecond latency counts.

The time taken to transforming PAN to token and back to PAN needs to be done in a swift manner, and this shouldn’t have any sort of negative impact on payment processing.

Being savvy

As WEX highlighted, airlines need to curtail the level of detailed information an entity needs to store. Plus, restrict staff’s access to such data.

Also, when it comes to paying vendors with Virtual Card Numbers (VCNs) one doesn’t need to be aware of bank account information and don’t need to protect their sensitive information. WEX stated that VCNs also mean that your own account information is safe whether you or the vendor tracks and processes payments in the cloud. “Because VCNs can be used only once, even if there’s a breach, as has happened with hotel chains including Hilton, Marriott, and others, there’s no risk of fraudulent transactions,” highlighted the company in its blog.


Follow Ai on Twitter: @Ai_Connects_Us