PCI DSS

The concept at the core of PCI DSS is Scope. The Scope encompasses any system, person, or process that comes in contact with card data.

• In Scope: If a travel agent writes a credit card number on a Post-it note or an airline stores a customer’s credit card number in a simple text database, those environments are “in scope,” and they must be subjected to rigorous and expensive security audits.
• De-scoping: Smart travel technology companies want to de-scope their systems. They architect their software to ensure the raw credit card number (PAN) does not even come into contact with their own servers. Instead, it goes directly from the customer browser to the payment gateway.

To have de-scoping and still allow for refunds and recurring billing, the industry uses something called tokenization.

When the traveler inputs their card details, the payment gateway (like Stripe or Worldpay) intercepts the data and replaces the sensitive 16-digit PAN with a unique and random string of characters called a Token. The travel agency doesn’t store the card number, but instead stores the Token (e.g., tok_123abc) in their database. If the agency needs to charge the card again (ex., for a seat upgrade), they send the Token to the gateway which matches the Token to the actual card number and charges accordingly. If it is hackers who break into the database of a travel agency, they will steal worthless tokens, not credit card numbers.

One of the requirements of PCI DSS, and the most stringent, is around CVV/CVC (the number on the back of the card, usually 3 or 4 digits). You may need the CVV to confirm a transaction at the moment, but you must never store it once authorization is complete.

This causes a challenge for travel agents. If, for example, a hotel requires a CVV to ensure a booking made for next month, the agent cannot, by any means, write it down or save it in the GDS profile. They shall use special Credit Card Authorization Forms or secure links to collect it at the time of making payment.