Cybersecurity: Staying Safe in a Digital Booking Landscape as Travel Providers

Why are cybersecurity issues so prevalent in the travel sector? 

The tourism industry holds hugely valuable and sensitive data on every traveller, and it is crucial for travel agencies and providers to recognise that cybercriminals are constantly developing advanced techniques to access and steal this information from booking websites, internal systems, servers, and mobile platforms.

The rise of online travel booking has created new opportunities for cybercriminals. With the increasing digitalisation of booking processes and the sharing of personal data online, the risk of security threats has also grown. Mobile travel apps, which are widely used by online travel agencies, have become prime targets for threat actors.

In the following sections of this article, we will delve into the valuable insights shared by industry leaders such as MasterCard and Citibank regarding the advantages and security measures provided by virtual credit card tools, which were highlighted during our at the MarketHub Europe in June, hosted by our parent company HBX Group. 

However, let's first examine the potential risks involved in managing, creating, and processing online transactions, the implications for travel providers like yourself, and the role that Hotelbeds plays in this landscape.

Security and the Travel Sector: Risks

During recent industry-leading MarketHub events hosted by our parent company HBX Group, cybersecurity was a key topic of discussion. Attendees had the privilege of hearing from cybersecurity specialists during these events.

One of the reasons why cybersecurity risks are so prevalent nowadays, is that a whole ecosystem has developed – forget the eras of ‘one-man hackers’, cybercrime has become ‘CAAS’, cybercrime as a service.  

There is a lot of money to be made from cybercrime, and as Christo Butcher, global lead for threat intelligence at NCC Group and Fox-IT, mentioned at our MarketHub Europe event, the travel sector is a low-hanging fruit in the eyes of many cybercriminals.  

"It's a highly dynamic sector with multiple stakeholders involved and constantly evolving interactions," Christo pointed out. Social Engineering, as a prevalent method of cybercrime discussed in our article on top cybersecurity threats, is particularly prevalent within the hospitality industry.

Social Engineering plays off the nature of the sector, taking advantage of the customer service mindset to manipulate a situation to the benefit of the cybercriminals and at the cost of whichever hospitality business is in their sights.

So, what can be done, especially when it comes to digital bookings?  

Data Regulation Compliance

Data regulation gives more control over personally identifiable information and aims to simplify the ‘regulatory environments’ for international businesses dealing with this sensitive data.

UK and EU businesses must operate in compliance with General Data Protection Regulation (GDPR), while the California Consumer Privacy Act (CCPA) is the US equivalent, and the Personal Data Protection Act (PDPA) applies to businesses and data subjects – people – in Asia.  

Travel marketers must pay close attention to data handling compliance when executing marketing campaigns and sending enticing offers to customers for bookings. This involves the careful processing, storing, and utilisation of customer databases to ensure everything is handled according to regulations and best practices.

Incorporating the core principles and rules of global data protection regulations into your business is critical! These principles include: data minimisation, purpose limitation, storage limitation, accuracy, integrity, and security. Make sure to search for your countries’ relevant data protection regulation to see the most up-to-date rules.

Sticking to the strict rules laid down by worldwide data protection regulations helps to:

• Ensure data accuracy
• Protects data against unauthorised access
• Empowers people to exercise their rights over their own data

How is this linked to travel booking?

Utilising any form of online booking software encompasses a range of activities falling under the broad scope of 'processing'. This includes collecting, recording, storing, using, and disclosing data through various means such as transmission. From basic contact information to sensitive payment details and personal preferences, every piece of data gathered by travel agencies is subject to stringent data protection regulations.

As travel bookers, it’s vital that you’re processing, storing and using data lawfully and transparently.

Using online booking systems that adhere to these strict rules not only means that you’re meeting global requirements as a travel provider, and therefore a handler of data, but also ensures the privacy and security of your customers’ data.

Using Safe Providers and Booking Platforms

The use of booking software goes hand in hand with travel providers – even in brick-and-mortar travel provider businesses the booking is completed using an online booking platform.  

The majority of websites use SSL encryption to protect any data that’s transmitted between a website and a shopper.

HTTPS website security is crucial for building guest trust and securing online transactions.  

Those in the hospitality and tourism industry must take proactive steps, including appointing a compliance champion, educating staff, controlling data access, and collaborating with PCI-compliant vendors, to adhere to these standards and protect against data breaches and hefty fines.

Surveys say 84% of users would abandon a purchase if data was sent over an insecure connection, and a large majority are concerned about their data being intercepted or misused online.  

So, what are the risks involved with online booking platforms, and how can we ensure that bookings made using travel booking software are secure?

Christo Butcher, our insightful guest speaker at MarketHub Europe, also spoke about this.

Interestingly, though there is potential to hack the booking platform itself, Christo suggested that its ‘much more interesting to focus on the weaker links in the chain: the users.’ In an example where you have users who can log into a booking platform, this account is ‘probably much easier to hack than the platform itself’, and once this is compromised, the hacker effectively becomes the hotelier, or provider, with ‘direct access to all guests and travellers via legitimate communication channels.’

This situation provides hackers with an ideal chance to engage with actual end users in a seemingly authentic manner, serving as a significant force amplifier in the cybercrime domain. By hacking a single account, the potential for profitable scalability is enormous.

How can this risk be mitigated? Multi-factor authentication.

Managing the risk involved in stolen or hacked passwords is key! MFA (multi-factor authentication, sometimes also called two-factor authentication, helps reduce the chances of stolen credentials.

Another key risk is third party security, especially when it comes to travel providers such as Online Travel Agents (OTAs). The issue here, for OTAs, is that income pivots around products which are provided and sold by different suppliers, like airlines, hotels, car rental companies, or travel insurance, just as an example. The combination of this dynamic and changing collection of suppliers, along with the ‘inoperability’ between these businesses – for OTAs – opens a prime environment for hackers.

Implement Security Standards for Payments

The Payment Card Industry Data Security Standard (PCI DSS) is a crucial industry standard mandated by major credit card companies. It plays a vital role in ensuring the secure processing, storage, and transmission of credit card information. This standard directly impacts every single credit card transaction, emphasising the importance of compliance and adherence to these rules.

Should a guest use their credit card to pay for something at a hotel, for example – be it a room reservation, spa treatment or coffee – or a traveller use their credit card to secure a booking with you, PCI DSS applies to that purchase.

When it comes to digital booking, the most important factor is that you’re selecting an online travel booking platform that is fully PCI DSS compliant – like the Hotelbeds Booking Engine.

But for day-to-day practices that will also ensure that you’re storing and handling data correctly, here’s a few pointers:  

• Name an owner or champion of PCI DSS compliance within your organisation.
• Be proactive: teach staff why data security is important and the impact any breach may have.  
• Protect physical data.
• Restrict access to payment or personal data to only staff who require this information to do their job. Use individual logins and access codes to systems.
• Clarify the role vendors play in terms of compliance with data-related standards, and seek PCI DSS compliant partners.
• Secure online booking data: While you may need a paper copy of a reservation, do not print credit card details of customers from your online systems.

Virtual Cards – MarketHub Insights

In today's travel and tourism industry, it is crucial for businesses to cater to travellers for whom the payment method plays a significant role in their decision-making process. As pointed out by Ana Arjones of Mastercard during our recent MarketHub Europe event hosted by our parent company HBX Group, if the preferred payment method of a customer is not available on a hotel's website, 1 in 4 travellers will choose to take their business elsewhere.

In answer to this challenge, virtual credit cards (VCC) are a tokenised version of the physical payment formats used by millions of people, companies and organisations worldwide.  

In a booking related environment, many travel providers have API connections to banks, and anytime a booking is created, a one-time VCC, specific to that booking is created.

The virtual card is specifically coded for a designated supplier, amount, and in certain cases for travel or hotel bookings, the associated check-in and check-out dates. This ensures that the virtual card cannot be used for unauthorised transactions, even with the same supplier. After the payment is made, the virtual account number is deactivated and cannot be reused. This method of payment not only enhances security but also minimises the risk of fraudulent activity.  

Ana Arjones stated that ‘fraud rates on virtual cards are virtually zero’, much lower than the 0.3% rate on regular consumer cards. Which seems like a small figure, but 0.3% of a large volume is a significant number.

This is incredibly important when you consider that sales made by travel providers on behalf of hotels is a significant industry, with ‘leisure sales made by travel intermediaries valued at around $500 billion,’ as Ana Arjones again suggested.  

Virtual Credit Cards and Hotelbeds

Virtual credit cards are widely supported and used by many travel product suppliers we partner with at Hotelbeds.

Much of our supplier finance management processes hinges on the secure processing of virtual credit card transactions, with an E-Billing system specifically designed for VCC suppliers and the effective, safe management of all VCC payments and transactions.  

This means that when you’re confirming a booking using the Hotelbeds Booking Engine, there are layers of security and encryption involved when your customers’ data and payments are being transferred from their bank accounts to the travel product provider.

Discover more about the benefits of partnering with Hotelbeds today.