Ai Editorial: What is being done to avoid stealing of payment card data?

First Published on 19th June, 2017

Ai Editorial: Protection of payment card data is becoming a vital issue as businesses across various sectors, including travel, are facing such attacks, writes Ai’s Ritesh Gupta


How safe are you when you make payment at the airport? Is the credit card payment in a common-use environment at airports sturdy enough to avoid a breach as of today? Are airlines being guarded against the dreadful point-of-sale-based malware?

These are critical questions that airlines and other stakeholders in the travel sector need to delve into. The pace with which credit card-related data breaches are taking place and what is being done to curb the same is one intriguing race to watch out for in the world of payments, security and fraud. Hackers, fraudsters etc. need to be stopped and the damage needs to be minimized, as the malice of data breaches is everywhere, across various sectors.

In a recent post on their blog, cyber security specialist Foregenix, referring to the risk associated with credit card details, mentioned that average time it takes to discover such an attack or violation is around six months. Considering the impact of fines such as Visa imposing payment of up to 18€ per customer card lost, waging a battle against breaches can be an arduous task.

Breaches all around

A major mishap is related to point-of-sale based malware.

It has resulted in maximum credit card-related breaches. In the last few weeks only, there have been several reports related to credit card-related breaches: US-based retailer Buckle has been in news for being a victim of a security incident in which a criminal entity accessed some guest credit card information following purchases at some of their retail stores. The company’s store payment data systems were infected with a form of malicious code. The company acknowledged that certain credit card numbers might have been compromised. In late May, Chipotle Mexican Grill identified the operation of malware designed to access payment card data from cards used on point-of-sale devices at certain restaurants.  According to the company, the malware searched for track data read from the magnetic stripe of a payment card as it was being routed through the POS device.

Earlier this year, InterContinental Hotels Group also acknowledged the case of a malware searching for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card. It was being routed through the affected hotel server.

These cases can prolong for years, and result in a hefty fine. Recently ,Target was involved in a settlement worth $18.5 million related to a data breach in 2013.

Stringent measures

Travel companies have to ensure that the cardholder data remains encrypted at all times and at every “hop” across the electronic transaction.

According to specialists, such code is generally set up via attack on remote administration tools. Once malware comes into action, hackers or fraudsters can remotely garner important details from each card swiped at that cash register. Then the same is sold to those who can encode the stolen data.

Airlines, airports and associated stakeholders are moving forward, facilitating commerce as well as putting measures in place.

A major highlight is use of point-to-point encryption to protect customer data.

This technology is capable of ensuring that account data cant be breached in any illegal way or suspicious parties. The payment card data is encrypted at the point of acceptance and is said to be safe even if stolen or until it reaches where it is supposed to.  Also, it can streamline compliance with PCI DSS necessities for airlines and airports by cutting down on addressable needs during a PCI security assessment.

Overall, encryption technology for chip, magnetic stripe and contactless card payment transactions is thoroughly tested to curtail the possibility of any breach.

All of this becomes important as airlines tend to accept payments at airports via a shared IT infrastructure.

There is a also need to look into developments such as General Data Protection Regulation.

New developments

As for airlines, security, based on latest industry standards and technology, is only one aspect of the whole initiative that needs to be taken. For instance, making it convenient for customers to buy any ancillary offering is a revenue generation-opportunity. This has remained a challenge for airlines since there are shared check-in desks and these cannot adjust to certain payment needs of multiple airlines and ground handlers. If we look at the infrastructure at the airport, airlines can end up accepting payments at common-use check-in desks, kiosks and bagdrop areas for baggage fees, upgrades and other ancillary charges.  Plus, airlines also seek better control over the process, that generally entails multiple stakeholders when one transaction is completed.

The industry is moving in the right direction going by two of the latest developments in the last month.

Recently, SITA came up with an offering point-to-point encryption technology, with EMV and PCI compliant chip card payment terminals, applications and processes. With this solution, as SITA says, there is provision for several merchants to avail the same terminal. The PCI compliance certification requires an end-to-end security review by each airline of its own full payment process.

Lufthansa Group, in conjunction with Amadeus and Ingenico, worked on a new option to allow passengers to pay for ancillary services with chip-cards (credit/debit cards), compatible digital wallets etc. at the check-in counter.   According to Amadeus, “airlines and ground handlers can now reach any passenger with an EMV chip card or an EMV-compliant mobile wallet in any airport worldwide, regardless of the check-in infrastructure”.

Other than being compatible with security standards, the new offering, Amadeus Airport Pay, that Lufthansa is using also gives the group control over its payment infrastructure. 

These are all positive developments that would ensure passengers can transact in a much more safer environment, plus they are also being given the flexibility of buying a travel-related offering within the airport environment.


Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year (29 – 31 August, 2017).

Follow Ai on Twitter: @Ai_Connects_Us