By reducing their exposure to cyber-attack, travel players can reduce both the cost of security and the consequences of becoming victim to an attack. Merchants that do not comply with PCI-DSS, and have credit card information stolen, may receive fines. In severe cases, merchants can even be given the ‘Death Penalty,’ preventing them from accepting credit cards. On top of that, the payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations; typically, these fines will be passed to the noncompliant merchant.
Achieving and maintaining compliance with the PCI-DSS standard is surprisingly difficult and expensive. This difficulty is borne out by findings by Verizon, which assesses companies for compliance against the standard, that only 20% of companies tested are fully PCI-DSS compliant.
Being able to clearly demonstrate compliance with the PCI-DSS standards can give merchants a clear competitive advantage. As well as being generally good practice for any business which handles sensitive credit card data, PCI-DSS is used by card schemes to ensure their members are maintaining good security practice. For example, Visa Europe has issued a deadline to acquiring banks using its network that all airline merchants should be fully compliant with the Payment Card Industry Data Security Standard by 31 December 2017.
The cost of compliance for each individual travel company will be different. It is important to build a true picture of the total cost of ownership of compliance. To do this, travel companies should consider the following areas:
- Infrastructure: Additional IT hardware and software for encryption, anti-virus, firewalls, intrusion detection, log management, and more, with associated purchase, licensing, installation, migration and integration, upgrade, operation and support costs.
- Services: Consulting, assessment and regular vulnerability scanning services, as well as education during change-management activities. Given how fast-paced the security market is, it’s important to factor in ongoing upgrades and changes to security frameworks.
- Staff time: IT and business staff will devote some or even all of their working week to planning, actioning, reporting on and auditing PCI-DSS controls, instead of their ‘day job’.
Once an organisation has understood the cost of upgrading, and maintaining, IT systems and processes to ensure PCI-DSS compliance, the next important question should be how to reduce that cost. Modern IT systems are large complex and highly integrated, which makes becoming and remaining compliant more expensive.
See our Safeguarding information systems whitepaper for more on payment security.