The air travel industry is evolving fast, and with millions of transactions processed daily, airlines are prime targets for cybercriminals. Protecting passenger payment data is crucial for revenue, trust, and brand reputation.

High-profile breaches involving Delta, Cathay Pacific, and British Airways underscore the importance of robust security. The Payment Card Industry Data Security Standard (PCI DSS) is the key framework, and version 4.0 introduces 64 new requirements for airlines.

Payment compliance is complex and requires a proactive, organisation-wide approach. The involvement of multiple third-party vendors increases security risks, making the system more vulnerable. Independent token systems, or token vaults, reduce this risk by securely managing card information on behalf of airlines.

Tokenization replaces sensitive payment data with a unique token, improving security and streamlining compliance. It removes sensitive data from airline networks, minimising the cost and burden of PCI DSS assessments.

What is Tokenization?

Used by around two-thirds of businesses globally, tokenization substitutes data like primary account numbers (PANs) or CVV codes with non-sensitive tokens, which are stored in a secure token vault. Tokens are meaningless without access to this vault. 

Token Types 

• Single-use tokens: Valid for one transaction; more secure. 
• Multi-use tokens: Reusable; convenient for recurring payments. 

Format Types 

• Format-preserving: Retain original data structure; ideal for seamless system integration. 
• Non-format preserving: Differ from the source data; can include special characters and varied lengths. 

Tokenization boosts security, raises authorisation rates, and builds trust between airlines and passengers, which is increasingly important.

Types of Token Sponsors 

• Payment gateways: Built-in tokenization, but tokens only work within that gateway. This can cause vendor lock-in. 
• Card schemes: Visa, Mastercard, etc., offer more flexibility and security but are harder to integrate and require certification. 
• Universal token vaults: Offer broad compatibility across providers and reduce vendor lock-in. They combine the benefits of other token types, though setup is more complex. 

Universal Token Vaults: How They Work 

Airlines use these to collect, store, and process data across all interfaces. Sensitive data is tokenised before reaching airline servers using APIs or proxy servers. 

Collect 

Tokens are created through web, mobile, or server-side methods, never exposing sensitive data to airline systems. 

Use 

The token is used during transactions, and the vault reconverts it to the original data before it reaches the payment processor. This ensures compatibility with all integrated systems. 

Top Challenges Solved by Universal Token Vaults 

PCI DSS Compliance 

Universal token vaults significantly reduce PCI scope and audit burden. Since sensitive data isn’t stored by the airline, many assessment requirements no longer apply. 

Data Breaches and Fraud 

Tokens are useless to hackers since they can’t be reverse-engineered. This helps prevent large-scale breaches like those seen in major airlines. 

Managing Complex Airline Payments

Airline payments involve multiple channels (e.g. GDS, NDC, mobile, in-flight, call centres) and service providers. A universal token vault centralises token management and allows seamless integration across all partners.  

To learn more about tokenization and how Universal Token Vaults support airlines to optimise payment strategies, reduce fraud risks, and enhance customer satisfaction while staying compliant with industry regulations. Download the full Payments and Tokenization for airline retailing e-book . 

*** 

This has been republished with permission from PCI Proxy from Planet.

About PCI Proxy
At PCI Proxy, a division of Planet, we lead the way in payment’s tokenization for more than 24 years. Our fully provider-agnostic token vault, with built-in network token capabilities, empowers businesses across the globe to handle and manage payment data more effectively amongst payment providers and third parties. 

*** 

PCI Proxy is a member of our Token Vault Panel.  

***

To get notified of our latest posts, follow the Merchant Advisory company LinkedIn page, and click on the bell icon at the top right section of our company profile.