Airlines turn to tokenisation as security strategy for payments

Tokenisation has been flagged up as big trend being deployed to address how airlines  accept the correct local payment methods in the  various markets they serve in order to convert shopping sessions to actual bookings.

Photo - Retail in motion

The ability to accept payments in multiple markets is strategically important for airlines, especially low-cost carriers ( LCCs),. but to also identify the associated fraud effectively.  In response, tokenisation has become a key strategy within the industry, according to industry payment specialists.

Tokenisation has been flagged up as a big trend being deployed to address how airlines accept the correct local payment methods in the various markets they serve in order to convert shopping sessions to actual bookings.

Tokenisation is a technique that allows a carrier to significantly reduce the risk of handling passengers’ payments details. Cyber security breaches are growing and airlines face the real risk of significant fines should passenger card details be compromised (a recent IATA report highlights aviation as the main target for fraudsters due to the high value of the service).

According to experts, tokenisation overcomes this by securely storing the card details in a vault and replacing them with a token (or proxy) that is stored and used in the airline’s own systems. If the token is stolen, it is meaningless and cannot be used to initiate payments. Additionally, if hackers gain access to the airline’s payment system, the stolen tokens cannot be used elsewhere, as they are typically restricted to specific merchants or transactions.

Damian Alonso, head of commercial and partnerships at Outpayce – a business payments specialist – said tokenisation ensures that sensitive customer card details are no longer held on their own systems, and this helps travel companies, and LCCs, comply with Payment Card Industry Data Security Standard (PCI-DSS) requirements by reducing the scope and cost of it.

“Rather than storing the traveller’s original card number (PAN), the travel company can replace it with a token that corresponds to the customer’s card,” Alonso stated. “As a result, bad actors cannot use the token to initiate a payment or decrypt the token  to reveal the traveller’s card details.”

As Alonso alluded, this feature provides additional reassurance to passengers who choose to store their card on file or when making a payment.

Combatting fraud

Alonso believes that tokenisation is relevant for all airlines but is becoming particularly popular with LCCs. “These airlines generate the vast bulk of their sales through their direct digital channels; therefore, they are always looking for ways to improve the experience in that channel and overall reduce costs,” he said.

Due to its complexity, high transaction values and cross-border nature, the travel industry is a primary target for fraud and cyber-attacks. According to its own research, Outpayce has identified fraud and cyber security as the  second biggest challenge after the overall cost of payments.

“When it comes to digital payments, fraud risk is a primary cause of financial damage and reputational harm for airlines,” and Alonso reckons having tokenisation in place immediately eliminates sensitive data exposure, whilst limiting the amount of work the airline needs to undertake PCI-DSS compliancy.

Similarly, LCCs are very focused on delivering a low-friction digital experience that drives conversion and sales of ancillary products. Alonso explained: “Tokenisation is extremely helpful here because the airline can keep  a token on file, so when that traveller returns to the website, they can elect to pay in a simpler way reducing card details mistakes and false declines.”

These days, fraudsters have sophisticated techniques to intercept sensitive payment data. For instance, scammers can create fake websites that list heavily-discounted airline tickets, or even  pose as legitimate airlines.

In response, Alonso said tokenisation is a preventative solution meant to keep the traveller’s card details secure during their interaction with a legitimate airline that has the solution in place and ensuring that even if the airline is breached the card details are not compromised and cannot be used.

Security conscious

Most systems tend to have several  layers of security to secure digital payments and rarely work in a silo. Alonso said tokenisation solutions can be deployed standalone, or as part of a suite of integrated solutions.

“There are several other security measures airlines require to meet PCI-DSS requirements and to effectively secure payment transactions,” he indicated. According to Alonso, these include a 3D secure solution to ensure strong customer authentication (SCA) when required. This suggests the user is the legitimate cardholder initiating the purchase, typically using a second factor of authentication like a one-time passcode.

Similarly, Alonso advises airlines to implement a fraud management system that can screen all the payment transactions running through its systems to spot anomalies or potential fraud. “The trick here is harnessing  vast amounts of data and understanding travel purchasing behaviour,” he suggested. Supposedly, this makes it possible to further determine more accurate results in identifying fraud, while reducing chargebacks that represent one of the highest volume losses for airlines.

“It also enables airlines to identify false positives that would result in a legitimate purchase being declined or interrupted, which ultimately impacts revenue,” he added.

An important factor that Alonso mentions is that airlines can also benefit from adapting their fraud management screening to the different markets, for instance decreasing  fraud checks in lower risk markets. The same applies when entering new markets with higher fraud risks, so security is adjusted accordingly.

“It can be complex for airlines to access, implement and manage all the various different systems needed to ensure secure, efficient and friction free payments,” Alonso commented. He said, the key role at Outpayce is provisioning an “orchestration platform,” which allows airlines to access hundreds of different payments partners easily through a single connection.

He believes centralising payments in this way allows airlines to analyse the performance of their payments set-up, easily swap partners if needed and also to route different transactions in the most efficient way to lower cost and improve acceptance rates.

“That’s why payments orchestration is emerging as the number one trend in airline payments, it acts a little like a central nervous system, taking decisions and ensuring payments are handled according to the airline’s  strategy,” Alonso remarked.

Sign up for our newsletter and get our latest content in your inbox.

More from