How do you know your travel management company has a secure data environment? A simple assurance that "We take data security seriously" is not enough for you to know an agency is following all recommended guidelines.
Two Steps to Take
First, discuss how the agency will receive, store and share your organization's sensitive data, especially corporate card information. The ideal answer is that the agency adheres to Payment Card Industry Data Security Standard rules and stores only soft copies of your travelers' information in a highly encrypted or tokenized form that is unreadable to unauthorized people who may access the information. Additionally, establish that the information is stored only for the time frame that it is absolutely necessary.
Second, request to see the travel agency's Attestation of Compliance. An AOC proves the agency has been reviewed by a PCI Qualified Security Assessor. Why is this important? PCI DSS is the minimum standard with which any organization dealing with credit cards, regardless of size, must comply. Its aim is to ensure that organizations secure cardholder data safely, and it is mandated by all the card networks, including Visa, Mastercard and American Express.
Requesting an AOC is the quickest and easiest way to prove an organization does indeed protect the data you have entrusted to the agency. All PCI-compliant businesses should be able to show an AOC. It indicates that the organization has undergone the relevant security checks and audits to ensure data security. It also shows investments of both capital and effort to ensure your data is held securely. A full PCI-compliance audit can cost $70,000 or more when all expenditures are taken into account, a sizable investment without a doubt.
However, if the travel agency does not have an AOC of its own, this doesn’t mean it's not protecting customer data adequately. The agency may have outsourced the requirements to a third party. To become PCI compliant in-house, an agency needs to have in-house IT personnel, to upgrade its systems and networks to the most up-to-date versions and to undergo annual and quarterly reviews and audits, all adding up to large sums of money and a great deal of attention throughout the year. Outsourcing PCI compliance, on the other hand, requires the travel agency merely to integrate with a third party that handles and secures the sensitive information. In this case, the travel agency can supply the AOC of the provider it is using.
While cost and the quality of support services are key in choosing a travel agency, corporate travel managers often overlook data security, something that impacts both personal data like name and email address and, more important, card payment information. Whereas a breach of personal data is worrying and troublesome, a breach of payment data is likely to result in fraudulent transactions, especially considering it takes, on average, 191 days for someone to realize a data breach has occurred.
Seeing as the majority of corporate credit cards have higher credit limits than personal cards, corporate cards make for an even more attractive target for hackers. Don't ignore the threat.