A CyberSource White Paper Optimizing Airline Profits: Payment management strategies for airlines by Dave Glaser VP Professional Services CyberSource Corporation CyberSource Corporation 1295 Charleston Road Mountain View, CA 94043 www.cybersource.com 1-888-330-2300 © CyberSource Corporation All rights reserved. First Publication Optimizing Airline Profits Contents Overview OVERVIEW ................................................. 3 Every airline I’ve worked with is trying to shift more customers to direct sales channels in an effort to lower their distribution costs and increase revenue. In doing so, more emphasis is being placed on payment management, particularly in four key areas: STRATEGIES TO OPTIMIZE PAYMENT OPERATIONS.............................................. 4 ADDING NEW PAYMENT TYPES ............................... 4 AUTOMATING THE BOOKING REVIEW PROCESS (FRAUD MANAGEMENT)................................................. 5 AUTOMATING RECONCILIATION............................... 7 STREAMLINING PAYMENT SECURITY COMPLIANCE .......... 8 IMPLEMENTATION APPROACH ................... 9 CYBERSOURCE AIRLINE PAYMENT MANAGEMENT SOLUTIONS....................... 10 1. 2. 3. 4. Adding new payment types Automating the booking review (fraud management) Simplifying reconciliation Streamlining security compliance process However, making these improvements can initially seem quite daunting because of the operational complexity of the business, coupled with the limitations of existing legacy systems. The big questions become what to do businesswise, and how to marry new and existing technologies with the least amount of pain. In my experience, you can achieve some early success by implementing a point solution to address a specific payment need (for instance, adding new payment types or improving the booking review process). But as direct channels become more sophisticated, the most successful airlines are moving to a more integrated, centralized approach to payment management that can scale to support current and future needs while leveraging existing technology. In doing so, payment management goes from being a necessary cost of doing business to a competitive advantage that can enable airlines to adapt quickly to market shifts. In this paper, I’ll discuss the tactics I’ve seen airlines adopting to improve profit via payment management, as well as the implementation approaches that I’ve seen work best. © 2007 CyberSource Corporation. All rights reserved. Page 3 Optimizing Airline Profits Strategies to Optimize Payment Operations The airlines I’ve worked with are focusing on building out their direct channels (especially their own websites) to lower distribution costs and increase revenue. According to a study by Edgar, Dunn & Company 1 , airlines can reduce their payment-related expenses by up to 25% by optimizing the way payments are managed. If you think of payments as an entire process, where every transaction goes through a stage in a “payment pipeline”, you can identify broad areas to optimize profits, from the initial reservation request to the funding and reconciliation of a transaction. The airlines I’ve worked with have been scrutinizing how they currently manage online payments using this pipeline framework, and devising strategies to streamline payment operations. ADDING NEW PAYMENT TYPES Adding new payment types kills two birds with one stone. First, adding new payment types lowers distribution costs because transaction fees for alternative payment types are generally lower than credit cards. According to the same Edgar Dunn study, each ticket purchased by credit card costs an airline $12.50 in processing, a sizable bite from the bottom line. In contrast, most bank transfers (for example) charge a lower fee per transaction, versus a percentage of the transaction (like credit cards). Second, adding new payment types can increase bookings by addressing customers that prefer to pay using methods other than credit cards – both here and abroad. This is especially significant for international markets, where customers may prefer to pay online with bank transfers, direct debit, or some other form of payment. Payment Types Most Airlines Consider The decision to add a new payment type depends on many factors (customer payment preference or transaction fees, for example), and the benefits should be weighed against the implementation costs (back-office integration, additional overhead, etc.). The studies I’ve seen indicate an average lift of 14% in online sales conversion when three or more payment types are accepted (cards, Bill Me Later, eCheck, etc.). 1 Burg, Pascal, “Next Frontier for Airlines: Reducing the $1.5 Billion Expense in Payments,” Edgar, Dunn, & Company, February 2005. © 2007 CyberSource Corporation. All rights reserved. Next to credit cards, PayPal is the most popular online payment method in North America 2 . With PayPal, customers pay directly using their email address and PayPal password. Funds are sent directly from either the customer’s bank account or credit card. Recently, Northwest Airlines, Midwest Airlines and Southwest Airlines have added PayPal as a payment method. One payment type that has attracted several airlines is Bill Me Later, an instant credit account that enables customers to purchase goods and services online without using a credit card. AirTran Airways, Continental Airlines, JetBlue, and USAirways all accept Bill Me Later. Bank transfers, though used rarely in the United States, are popular in both Europe and Asia. If you have international websites with online booking, this may be an ideal way to expand your market. For example, nearly two-thirds of Germans pay online using direct debit; Chinese customers use debit cards to initiate online bank transfers for e-commerce. With online bank transfers, customers are routed to their bank for payment authorization before being returned to the airline’s website to complete the reservation. In general, you will most likely see lower transaction fees with all of these payment types versus credit cards. But you can lower your card processing fees by implementing payer authentication services such as Verified by Visa, MasterCard SecureCode, and JCB J/Secure. Some card associations offer lower discount rates to encourage payer authentication adoption, in an effort to fight online fraud. Furthermore, if you have a UK presence, MasterCard SecureCode is mandatory for all Maestro card transactions. With all of these options however, I find most airlines have difficulty adding new payment types because of rigid legacy systems that can only support credit card transactions. Passing relevant information to the PNR, as well as potential changes in authorization and settlement processes (and the associated reconciliation systems) requires thinking about your system architecture differently and building to that with each enhancement you make. I offer suggestions for this later in this paper. 2 AC Nielsen 2005 Page 4 Optimizing Airline Profits AUTOMATING THE BOOKING REVIEW PROCESS (FRAUD MANAGEMENT) Though many airlines do not have a “fraud problem” per se, nearly all have a fraud management problem—the way in which fraud is managed is typically costly, human intensive, does not scale, and results in rejection of valid bookings or needlessly compromises inventory. As airlines pursue strategies to take more business direct and optimize payment operations, more emphasis is being placed on automating and tuning more of the screening process. The goal is to streamline the review process to achieve a lower valid reservation rejection rate and better inventory control, so analyst time is focused on reviewing only those reservations that truly require review. To illustrate the business issues involved, consider the customer experience during the reservation booking process. If fraud is not detected, or you reject a valid booking, you lose revenue. Also, each time you suspend a booking for review you tie-up inventory. If the suspended reservation is determined to be fraudulent, the seat must be released and is often sold at a distressed price, thus forfeiting revenue. This places profits at risk and reduces scalability. To address these types of issues, the trend is to implement automated screening and case management systems, including rule systems that leverage airline PNR data and can easily adapt to changes in fraud patterns and schemes. Many airlines have also implemented Verified by Visa and MasterCard SecureCode payer authentication systems as a first step towards better managing fraud. To see why your peers are taking this action, it is helpful to understand common fraud schemes, and the pros and cons of various tools and approaches that might be applied to managing that risk. Common Fraud Schemes Against Airlines I’ve seen an emerging pattern where fraudsters book a reservation with a child or infant (a lap child), and then cancel the infant seat. This skirts some typical fraud checks, since the passenger profile check has typically focused on singlepaying customers. Yet often fraud and suspicious person checks are the same. © 2007 CyberSource Corporation. All rights reserved. I’ve also seen a dramatic rise in fraud with airline “gift card” programs. With gift cards, a third party is typically buying for someone else (i.e., parents buy gift cards for their college-bound son to travel home for the holidays). The traveler and purchaser are almost never the same. Traditionally valid airline checks (reviewing time to departure, destination codes, etc.) aren’t tied to the initial credit card transaction, since the purchaser and the traveler are different. The traveler may not have even booked any flights. In practice, fraud checks should be linked to the gift card, but in my experience, gift cards are processed differently, where the sophisticated checks normally used with credit cards are not in place. So, gift cards can be purchased using stolen credit card information, without the traveler being linked to the purchaser. Certain types of promotional packages are also heavily targeted by fraudsters. For example, “winter bird” flights to/from Jamaica are very popular. Some fraudsters are even known to have secured frequent flyer numbers to help legitimize their reservation. These fraud schemes cannot be effectively addressed using a single tool, or even the array of tools supplied by card companies. Some require use of PNR data to accurately detect fraud and more efficient case management systems to speed review of the bookings that have been suspended. Here’s a review of the tools my clients are using and considering. Fraud Screening Techniques The industry trend is to lift conversion rates and streamline the review process on inbound reservation requests, so that fewer reservations are pulled for manual review. Due to the nature of the airline business, there are several data elements and a combination of factors that can be used to uniquely assess the risk of a cardnot-present (CNP) transaction. The most common of these screening techniques are the fraud tools supplied by the card associations. Address verification service (AVS), available in the U.S., Canada, and UK, enables the airline to verify the billing address to the address on file at the issuer. AVS availability in Canada and the UK are more recent, so the reliability and accuracy of the service are still being enhanced. Page 5 Optimizing Airline Profits While helpful, an AVS match is not necessarily an indicator of a valid account, as the fraudster likely already has the correct billing information. Similarly, an AVS mismatch may not accurately point to fraud; statistically, if you relied only on AVS “match” results, you would reject 160,000 valid bookings out of every million processed. Another fraud check uses the card verification number (CVN, CVC2, CVV2, CID) typically found on the signature line on the back of a credit card. CVN data is generally available worldwide, and is more reliable than AVS. Also, CVN data is not publicly available (unlike address records) and is more stable – the CVN stays the same even if the customer moves. While CVN is more reliable than AVS, it still carries false positive and false negative risks as well. The card brand fraud tool gaining the most recent interest from airlines is payer authentication (Verified by Visa, MasterCard SecureCode, and JCB J/Secure). Payer authentication is a good foundational tool to help address online fraud, and several of my clients have already implemented it. Depending on the card scheme, and the region and program administration, you can benefit from complete protection against fraud loss and interchange discounts. However, you are still subject to monitoring against the actual fraud rate, so you must still aggressively manage fraud. Payer authentication is not a silver bullet though. I’ve seen examples where fraudsters move from the online channel (with payer authentication implemented) to call centers, where they can book reservations with a stolen card. I’ve also seen situations where fraudsters can literally buy and sell identities, complete with payer authentication passwords. Beyond these card-supplied tools, my clients are also using other validation services such as geolocation, a technique that compares the purchaser’s location, as indicated by their IP address, to booking information like the bill-to address. Such a test can be helpful, but the typical (i.e., “good”) behavior of an airline customer can minimize its effectiveness. For example, if customers book reservations outside their home billing address (i.e., from a remote location while traveling), such a test would result in a valid booking rejection. © 2007 CyberSource Corporation. All rights reserved. For all the reasons above, I’ve found airlines need to use airline-specific data (in conjunction with these other tools) to effectively screen for fraud and minimize rejection of valid bookings. Such data spans PNR and reservation data, including: passenger profiles, time to departure (i.e., checking if departure time is less than twenty-four hours away), and purchasing behavior associated with airport destination and departure codes (as specific routes and/or codes exhibit more risk than others). To illustrate how this is used, one Eastern European airline that I worked with experienced a high fraud rate on routes to London Heathrow and Gatwick, with passengers booking within 48 hours to departure time, typically flying during the weekends. The ability to build automated screening rules based on the reservation data was effective in detecting this fraud scheme. I’ve also found that incorporating passenger frequent flyer data can significantly improve fraud screening. Frequent flyer numbers, length of enrollment, and number of site visits (for example) help to validate the identity of the passenger. Implementing Fraud Management Solutions As discussed above, effective airline fraud checks now rely on gathering reservation data and comparing it to financial and customer data. Depending on your IT environment, this can be difficult to obtain. You will need to consider how to pull or pass information among your various systems—including GDS systems which house some of the data required. I recommend creating a middleware layer to pull legacy system data and GDS data together, as an end-state vision (see last section). This approach has proven effective in several of my clients’ environments. While this end-state vision is optimal, most of my clients start with implementing payer authentication services and a rules system that can grow over time, as more PNR and reservation data can be provided. Supplementing this with a case management system to speed review provides the foundation for automating fraud management. Such an approach ensures that fewer valid reservations are rejected, less inventory is discounted, and overhead is minimized. It also allows you to scale more easily as direct sales volume grows. Page 6 Optimizing Airline Profits AUTOMATING RECONCILIATION As you grow direct business and take on new payment types and currencies, reconciliation becomes a scalability and cost issue. For this reason, airlines that are focusing on payment management include reconciliation automation as a key optimization strategy. The typical reconciliation operation involves manually pulling reports from your systems and auditing against the reports sent by banks and processors. It’s slow-going and difficult to tie to the original transaction, since reports lack common reference data and reporting formats. It becomes a bottleneck with unnecessary overhead (see top diagram). As volumes grow and new payment types, currencies and markets are added, automated reconciliation provides scalability without increasing costs. It also provides a holistic view of transaction funding status and actual revenue. To simplify reconciliation and chargebacks in a typical “manual” setup, all of the payment information would have to pass from one system to the next. So, when processor reports are received, they can be matched to your systems. For instance, flight information, billing, and other data captured on your online reservation would flow to the reservation system/GDS to create the PNR. All the information would be appended to the PNR, which would then be passed to your financial systems. This imposes a large load on every transaction and reservation record generated – and this may not even be possible to do with legacy systems. A more effective approach, and one that many airlines are adopting, is to centralize all of the payment information in a separate system. I’ll discuss what this looks like from a technical perspective later on, but in a nutshell, this repository holds both the reservation payment data and the reports from banks and processors on payment activity. Your PNR can be tied directly to bank/processor reports by a common reference number. So you can automate reconciliation and chargeback management, since the repository holds all the necessary data. The only thing handled manually are the exceptions (see bottom diagram). Instead of passing full payment data from one system to the next as you would in a manual configuration, you simply pass a payment reference token back and forth among your financial and reservation systems (which also enhances security and streamlines dataflow). This limits the amount of data being passed along to each system, and minimize impact on transaction processing times. The overall impact of this strategy is that it makes operations more scalable and decreases overhead costs. Typical Manual Reconciliation Process 1 2 3 4 5 6 Log-on to Site Download Report(s) Update Tracking Tools Sort and Assign Gather Reservation Data Review for Action 7 8 Take Action Update Reservation for Each System and Reconciliation Case Tools Streamlined Reconciliation Process 1 2 Review and Reconcile Exceptions Update Exceptions Using a Single System Automated © 2007 CyberSource Corporation. All rights reserved. Page 7 Optimizing Airline Profits STREAMLINING PAYMENT SECURITY COMPLIANCE Headlines about stolen customer data at leading companies, coupled with the cost of maintaining PCI compliance have compelled most of my airline clients to be more vigilant in how they manage, protect, and store customer payment information. While PCI compliance is mandatory for airlines, according to a Deloitte study 3 , nearly 24% of airline internal auditors were not aware of new PCI compliance standards and how that would impact their business. By strengthening security practices around payment information, you can mitigate customer concern about buying tickets online, as well as streamline PCI compliance. But ensuring and monitoring PCI compliance, as well as staying current on payment security practices and identifying security gaps, can be a costly endeavor. To address this, I’ve seen airlines move towards centralizing their payment systems to minimize the number of places where payment data is stored. Even more notable is the adoption of a new processing paradigm: “data out” payment models that remove as much payment data as possible from their network. All airlines use SSL to secure the payment transmission between customers and themselves during the reservation booking process, as well as between themselves and their payment processor (or GDS). But securing the connection is generally not the issue – it’s the transmission, processing and storage of the payment data. In the standard SSL model, you bear all of the risk of handling payment data. A security breach could make you liable for heavy penalties, not to mention bad publicity and loss of customer confidence and sales. One of the most straightforward ways to reduce the risk of handling payment data is to simply not store it. By moving “data out”, you can remove nearly all of the cost, complexity and risk of securing payment data and maintaining compliance. This model does not remove any functionality or flexibility. Implementation of this token-based approach lets you transact, issue credits, etc. just as you would if you stored the data onsite. 3 “Airline Fraud Survey 2006”, Deloitte, April 2007 © 2007 CyberSource Corporation. All rights reserved. “Data Out” Models Airline does not store payment data. Payment Network Airline does not handle nor store payment data. Payment Network Secure Storage Facility Payment Data Airline Systems Payment Data PAY Airline Systems Payment Form Payment Data Handling PAY Reservation Page Payment Data Storage Reservation Page Payment Data Storage Customer Web-based Secure Storage With web-based services, airlines are avoiding storing virtually all payment or related personal data. Instead of storing payment information on your systems, you would store it in PCIcompliant data centers within the banking and processing network (diagram on left). Your reservation system transmits the passenger payment data to the banking network at the time of initial payment acceptance, and then receives a response and “payment token” to be used as a reference for the transaction for future billing actions. All you store is the secure token – which is worthless to hackers. Hosted Payment Acceptance To accept online payments without handling payment data, you can use payment fields hosted by and residing within the banking and processing network, served up as part of your online booking process. With this approach, you’d never handle nor store payment data (diagram on right). This is implemented in a variety of ways: 1. As processor-hosted payment fields residing within your own online reservation page; 2. As a fully hosted payment page with the look and feel of your online reservation page; 3. As a link to a payment page hosted by the processor, carrying the processor’s brand. These secure storage and hosted acceptance solutions can be implemented using the approaches I discuss in the next section. Page 8 Optimizing Airline Profits Implementation Approach From a technical perspective, you can start addressing a specific payment need in the near term by implementing it as a one-off solution. But ultimately a long-term scalable and flexible architecture is the ideal approach. Reservations Internet All of the alternatives I’ve outlined earlier can be implemented standalone, or can be added to a centralized payment management platform. In fact, many of the airlines I’ve worked with use a phased approach, starting with point solutions (i.e., adding payer authentication) and moving towards a fully centralized payment management infrastructure. Payment Services CENTRALIZED PAYMENT MANAGEMENT PLATFORM This architecture utilizes a centralized payment management platform, which integrates with and works alongside GDSs and legacy systems. GDS/ Reservation Systems PHASE I: POINT SOLUTION IMPLEMENTATION Most of my airline clients start by quickly implementing point solutions using an API that interfaces to external services for the specific capabilities desired. The advantage to doing this is that you can start realizing operational gains right away. However, I recommend that you keep a long-term architecture in mind as you build capabilities. While initially efficient, prudent and pragmatic, implementing point solutions is not the best long term approach. With point solutions, adding new capabilities requires building separate connections to each and every system impacted. For instance, to add payer authentication, you’d build connections to the front-end web application, the GDS or other reservation system, financial systems, etc. If you add new payment features later on, you’ll need to do the same thing. So you’ll have multiple connections to manage and maintain, which can become operationally quite complex. GOAL: CENTRALIZED PAYMENT MANAGEMENT As I’ve shown in the diagram, you can quickly add new payment features with minimal impact to your existing systems with a centralized payment management platform. This platform interfaces with multiple processors, payment channels and systems, managing the workflow among them. It is architected so that it can interface with systems using proprietary APIs, MQ-style messaging, Web services, HTTP posts and even file transfers. © 2007 CyberSource Corporation. All rights reserved. Call Center Banks/Processors New Payment Types Fraud Services More… Financial Systems A flexible IT architecture to quickly and easily add new payment services to address current and future needs. You can quickly add new payment services with this architecture: • Adding new payment types – the platform can call third-party services for PayPal, Bill Me Later, bank transfers and more. Adding payment types or currencies becomes more a business activity than an IT project, since all systems are already connected to this common platform. • Automating fraud screening and streamlining reconciliation – because the platform links to reservations and banking systems, the data from these systems can be consolidated to automate and streamline reconciliation, chargeback and fraud management. It also supports centralized and hierarchically managed operations across many subchannels, geographies or lines of business. • Streamlining payment security compliance – you can connect to a secure storage service to house sensitive payment information, and access it when needed by passing a secure token to and from the secure storage service managed by the payment platform. Since data is centrally handled, there is less to manage and secure. In addition, administration screens can be serviced by this centralized platform, allowing fraud analysts and accounting personnel to manage and control all operations centrally instead of interfacing with multiple disparate systems and reports. Page 9 Optimizing Airline Profits CyberSource Airline Payment Management Solutions CyberSource provides systems and services to manage ePayments throughout your entire “Payment Pipeline™” to capture more profit in your online and call center channels. Contact us today to learn how we can help you lower your distribution costs, streamline your payment operations, and integrate with your systems. For details call 1-888-330-2300 or visit us online at www.cybersource.com. Profit optimization at every stage in the payment pipeline. Add New Payment Types Worldwide Lower your distribution costs and extend your markets globally by adding new payment types. In addition to bank cards, CyberSource enables you to accept alternative payment types worldwide, including UATP, Bill Me Later, PayPal, bank transfers, and more. Automate Payment Fraud Management Lower review costs, optimize inventory and gain better scalability by automating fraud management. The hosted Decision Management System automatically screens reservations with airline-specific rules created by you or a CyberSource Fraud Analyst, minimizing manual review and increasing booking conversion. The portal provides access to over 100 global validation services and tests, with case management to help you keep track of outstanding issues. CyberSource also offers Verified by Visa and MasterCard SecureCode services, providing chargeback protection and lower discount fees from card associations. Scale Accounting Operations Identify opportunities to capture additional payment and reduce burden on your staff with automated reconciliation and streamlined chargeback management. Our Professional Services team integrates booking, banking and payment processing data, for easier scaling and less manual work. © 2007 CyberSource Corporation. All rights reserved. Streamline Payment Security Compliance Manage payments without storing data using Secure Storage; accept and transact payments using CyberSource-hosted payment fields within your online booking application. We also provide PCI consulting and remediation services, and complimentary PCI vulnerability scanning to help you maintain PCI compliance. Scale Payment Capabilities on Demand For additional operating gains, we can provide technology and integration to centralize payment across your direct channels and between frontend and back-office systems. Only CyberSource combines deep airline industry experience with proven payment processing knowledge. Simplify Implementation and Management: Airline Savvy Professional Services Team A single integration to CyberSource provides access to all services, including multiple processors worldwide. Our solutions are available modularly or as a fully centralized payment system, and all are available as fully outsourced managed services, with performance guarantees. CyberSource Professional Services has worked closely with leaders in the airline industry to integrate multiple payment solutions. We reduce implementation headaches by working hand in hand with airline accounting and finance groups to minimize impact on back-office systems. Page 10 About CyberSource CyberSource Corporation is the world’s first payment management company. CyberSource solutions enable electronic payment processing for Web, call center, and POS environments. CyberSource also offers industry leading risk management solutions for merchants accepting card-not-present transactions. CyberSource Professional Services designs, integrates, and optimizes commerce transaction processing systems. Approximately 20,000 businesses use CyberSource solutions, including half the companies comprising the Dow Jones Industrial Average. The company is headquartered in Mountain View, California, and has sales and service offices in Japan, the United Kingdom, and other locations in the United States. © 2007 CyberSource Corporation. All rights reserved. © 2007 CyberSource Corporation. All rights reserved.
© Copyright 2018