Why are cybersecurity issues so prevalent in the travel sector?  

The tourism industry holds hugely valuable and sensitive data on every traveler, and travel agencies and travel providers must be aware that today’s cybercriminals are devising newer, more sophisticated ways of infiltrating and extracting sensitive customer information from booking websites, internal systems, servers and even mobile platforms.

Online travel booking is accelerating and is an attractive area for cybercriminals. As booking becomes more digitalized and more personal data is shared online, the exposure to security threats increases. Mobile travel apps are also common platforms for OTAs, but they have become popular endpoint targets among threat actors.  

Later in this article, we’ll look at some of the insights from key players like MasterCard and Citibank on the benefits and safety assurances offered by tools like virtual credit cards, which we were fortunate enough to hear about at the MarketHub Europe in June, hosted by our parent company HBX Group.

But for now, let’s explore some of the risks associated with data handling, making and processing online transactions, how this impacts you as travel agents, and how Bedsonline comes into play!  

Expert Insights on Security in the Travel Industry

Cybersecurity is also something that was hotly discussed at recent industry-leading MarketHub events hosted by our parent company HBX Group, wherein attendees were lucky enough to hear from cybersecurity specialists on the topic.  

One of the reasons why cybersecurity risks are so prevalent nowadays, is that a whole ecosystem has developed – forget the eras of ‘one-man hackers’, ‘CaaS’, cybercrime as a service, is now the new normal.

There is a lot of money to be made from cybercrime, and as Christo Butcher, global lead for threat intelligence at NCC Group and Fox-IT, mentioned at our MarketHub Europe event, the travel sector is a low-hanging fruit in the eyes of many cybercriminals.  

‘It’s a very dynamic sector, with lots of parties interacting together, lots changing interactions,’ Christo suggested. And of course, Social Engineering, which we discussed briefly in our article about the top cybersecurity threats, as a method of cybercrime, is very common within the hospitality sector. Social Engineering plays off the nature of the sector, taking advantage of the customer service mindset to manipulate a situation to the benefit of the cybercriminals and at the cost of whichever hospitality business is in their sights.

So, what can be done, especially when it comes to digital bookings?  

Data Regulation Compliance

Data regulation gives more control over personally identifiable information and aims to simplify the ‘regulatory environments’ for international businesses dealing with this sensitive data.

UK and EU businesses must operate in compliance with General Data Protection Regulation (GDPR), while the California Consumer Privacy Act (CCPA) is the US equivalent and the Personal Data Protection Act (PDPA) applies to businesses and data subjects – people – in Asia.  

For many travel marketers, data handling compliance is especially relevant when it comes to running marketing campaigns and sending potential customers or existing clients incentivising offers to make a booking, given that this requires the processing, storing and use of customer databases.

Incorporating the core principles and rules of global data protection regulations into your business is critical! These principles include: data minimization, purpose limitation, storage limitation, accuracy, integrity, and security. Make sure to search for your countries’ relevant data protection regulation to see the most up-to-date rules.

Sticking to the strict rules laid down by worldwide data protection regulations helps to:

• Ensure data accuracy
• Protects data against unauthorized access
• Empowers people to exercise their rights over their own data

How is this linked to travel booking?

Online booking software of any kind, involves activities that are considered subject to the wide definition of ‘processing’, including: collecting, recording, storing, using and disclosing data, whether that’s through transmission (sending) or other actions.  

From names and contact details to payment information and personal preferences, every single data point that travel agencies collect is subject to data protection regulations.

As travel bookers, it’s vital that you’re processing, storing and using data lawfully and transparently.

Using online booking systems that adhere to these strict rules not only means that you’re meeting global requirements as a travel advisor, and therefore a handler of data, but also ensures the privacy and security of your customers’ data!  

Using Safe Providers and Booking Platforms

The use of booking software goes hand in hand with travel agencies – even in brick-and-mortar agencies the booking is completed using an online booking platform.  

Our own Bedsonline Booking Engine is an intuitive online travel booking platform used by around 50,000 advisors, securing over 80,000 bookings every day.

So, what are the risks involved with online booking platforms, and how can we ensure that bookings made using travel booking software are secure?

Christo Butcher, our insightful guest speaker at MarketHub Europe, also spoke about this.

Interestingly, though there is potential to hack the booking platform itself, Christo suggested that its ‘much more interesting to focus on the weaker links in the chain: the users.’ In an example where you have users who can log into a booking platform, this account is ‘probably much easier to hack than the platform itself’, and once this is compromized, the hacker effectively becomes the hotelier, or provider, with ‘direct access to all guests and travelers via legitimate communication channels.’  

This offers the perfect opportunity for hackers to communicate with real-life end customers in a way that appears legitimate, and which becomes a ‘very powerful force multiplier’ in the cybercrime realm. Hacking one account, results in profitable scalability.  

Not only this, but quite often hacked accounts are then incorporated into a cybercrime ecosystem, and sold to other cybercriminals using web interfaces where hackers can ‘process, filter for, and purchase a subscription to hacked accounts.’  

So, how can this be mitigated?  

Multi-factor authentication.

Managing the risk involved in stolen or hacked passwords is key! MFA (multi-factor authentication, sometimes also called two-factor authentication, helps reduce the chances of stolen credentials.  

Another key risk is third party security, especially when it comes to travel providers such as Online Travel Agents (OTAs). The issue here, for OTAs, is that income pivots around products which are provided and sold by different suppliers, like airlines, hotels, car rental companies, or travel insurance, just as an example. The combination of this dynamic and changing collection of suppliers, along with the ‘inoperability’ between these businesses – for OTAs – opens a prime environment for hackers.

Surveys say 84% of users would abandon a purchase if data was sent over an insecure connection, and a large majority are concerned about their data being intercepted or misused online.  

Virtual Credit Cards and the Reduction of Fraud

Hotels are an active hotspot for credit card fraud; according to a study by Trustwave’s SpiderLabs, of 218 data breach investigations from 24 countries, 38% of the attacks occurred on hotels and, of the data stolen, 98% was credit card information.

Today’s travel and tourism businesses must accommodate a traveler for whom the payment method is such an important factor in the decision making process, such that, as Ana Arjones of Mastercard suggests at our most recent MarketHub event hosted by our parent company HBX Group, ‘if the payment method most desired by the customer is not present on the hotel’s website, 1 in 4 travelers will [go] elsewhere.’  

Of course, alongside that, flexible and digital payment methods must account for the risks that come with the digital transfer of sensitive, financial data.

In answer to this challenge, virtual credit cards (VCC) are a tokenized version of the physical payment formats used by millions of people, companies and organizations worldwide.  

In a booking related environment, many travel providers have API connections to banks, and anytime a booking is created, a one-time VCC, specific to that booking is created.  

The virtual card is coded for a specific supplier, amount, and in some travel booking cases or hotel bookings, the check-in and check-out dates associated with that specific reservation. The virtual card therefore can’t be processed for an unauthorized amount, even with the same supplier. Once this payment is processed, the virtual account number becomes inactive and cannot be used again. The result is a payment method that is not only more secure, but that mitigates the risk of fraud.  

This is incredibly important when you consider that sales made by travel providers on behalf of hotels is a significant industry, with ‘leisure sales made by travel intermediaries valued at around $500 billion,’ as Ana Arjones again suggested.

Virtual Credit Cards and Bedsonline

Virtual credit cards are widely supported and used by many travel product suppliers we partner with at Bedsonline.

Much of our supplier finance management processes hinges on the secure processing of virtual credit card transactions, with an E-Billing system specifically designed for VCC suppliers and the effective, safe management of all VCC payments and transactions. 

This means that when you’re confirming a booking as a travel advisor using the Bedsonline Booking Engine, there are layers of security and encryption involved when your customers’ data and payments are being transferred from their bank accounts to the travel product provider!  

Implement Security Standards for Payments

The Payment Card Industry Data Security Standard (PCI DSS), is an industry standard set of rules enforced by major credit card companies which helps to ensure: secure processing, storage and sending of credit card information. This impacts every single credit card transaction!  

Should a guest use their credit card to pay for something at a hotel, for example – be it a room reservation, spa treatment or coffee – or a traveler use their credit card to secure a booking with you as a travel advisor, PCI DSS applies to that purchase.

As a business, you can also determine your own levels of PCI DSS compliance – which apply to more than just the specific booking platform you use!  

When it comes to digital booking, the most important factor is that you’re selecting an online travel booking platform that is fully fully PCI DSS compliant – like the Bedsonline Booking Engine! We also refresh our PCI DSS certification every year, ensuring that we receive this accreditation through the use of an external Qualified Security Assessor.

But for day-to-day practices that will also ensure that you’re storing and handling data correctly, here’s a few pointers:  

• Name an owner or champion of PCI DSS compliance within your organization.
• Be proactive: teach staff why data security is important and the impact any breach may have.  
• Protect physical data.
• Restrict access to payment or personal data to only staff who require this information to do their job. Use individual logins and access codes to systems.
• Clarify the role vendors play in terms of compliance with data-related standards, and seek PCI DSS compliant partners.
• Secure online booking data: while you may need a paper copy of a reservation, do not print credit card details of customers from your online systems.

While of course this is not an exhaustive list of all the ways that you as travel advisors can try to reduce the risks of cybersecurity threats in today’s digital booking landscape, there’s certainly some food for thought regarding your internal processes, which travel partners you’re using, and important industry standards to ensure you and your travel partner are compliant with to mitigate those risks.