Trust is a huge challenge when it comes to international payments security.
Traditionally, consumer card details have been handed over to a booking agent, then to an airline or a hotel receptionist.
Unfortunately, fraudulent activity could happen at any stage.
In recent months, major travel companies have fallen victim to hacking or data theft. Some of the most recent examples:
- British Airways announced that data relating to 380,000 transactions had been stolen, including bank card numbers, expiration dates and CVV codes (September 2018).
- Cathay Pacific airline suffered a hack affecting up to 9.4 million passengers’ personal data (October 2018).
- Marriott’s massive data breach compromised up to 500 million Starwood guests’ personal data over the course of four years (November 2018).
The travel industry is especially vulnerable to exploitation due to the rapid pace of transactions, the large number of suppliers and its inherent global nature.
Still, online travel agencies can help protect their customers’ card details and reduce their own exposure to negative publicity by making sure they’re using the merchant model predominately.
In the merchant model, the consumer pays the OTA directly.
Rather than passing the customer’s information all the way through the ether of the payments process, the OTA can accept payment from the traveler and use another payment method to pay the hotel or the airline for the transaction.
The common alternative that some OTAs use is the agency model, in which case no payment is taken by the OTA but the card details are passed through to the hotel or airline upon booking.
In this scenario, if the hotel or airline’s data is hacked, the traveler’s personal card information could be vulnerable.
Improving information security has had a real resurgence thanks to the EU’s General Data Protection Regulation.
The GDPR’s ripple effect has impacted the U.S. as well with new research showing Americans are increasingly concerned about the U.S. sharing personal data with companies overseas.
Since May 2018, GDPR has protected the EU citizens’ personal details from being shared, stored and used without the consumer’s consent.
Use of the merchant model could become a competitive advantage for OTAs as travelers become more and more savvy about making sure their credit card information isn’t bouncing around the world more than they are.