Optimizing Airline Profits: Payment management strategies for airlines

A CyberSource White Paper
Optimizing Airline Profits:
Payment management strategies for airlines
by
Dave Glaser
VP Professional Services
CyberSource Corporation
CyberSource Corporation
1295 Charleston Road
Mountain View, CA 94043
www.cybersource.com
1-888-330-2300
© CyberSource Corporation
All rights reserved.
First Publication
Optimizing Airline Profits
Contents
Overview
OVERVIEW ................................................. 3
Every airline I’ve worked with is trying to shift
more customers to direct sales channels in an
effort to lower their distribution costs and
increase revenue. In doing so, more emphasis is
being
placed
on
payment
management,
particularly in four key areas:
STRATEGIES TO OPTIMIZE PAYMENT
OPERATIONS.............................................. 4
ADDING NEW PAYMENT TYPES ............................... 4
AUTOMATING THE BOOKING REVIEW PROCESS (FRAUD
MANAGEMENT)................................................. 5
AUTOMATING RECONCILIATION............................... 7
STREAMLINING PAYMENT SECURITY COMPLIANCE .......... 8
IMPLEMENTATION APPROACH ................... 9
CYBERSOURCE AIRLINE PAYMENT
MANAGEMENT SOLUTIONS....................... 10
1.
2.
3.
4.
Adding new payment types
Automating the booking review
(fraud management)
Simplifying reconciliation
Streamlining security compliance
process
However, making these improvements can
initially seem quite daunting because of the
operational complexity of the business, coupled
with the limitations of existing legacy systems.
The big questions become what to do businesswise, and how to marry new and existing
technologies with the least amount of pain.
In my experience, you can achieve some early
success by implementing a point solution to
address a specific payment need (for instance,
adding new payment types or improving the
booking review process). But as direct channels
become more sophisticated, the most successful
airlines are moving to a more integrated,
centralized approach to payment management
that can scale to support current and future
needs while leveraging existing technology.
In doing so, payment management goes from
being a necessary cost of doing business to a
competitive advantage that can enable airlines to
adapt quickly to market shifts.
In this paper, I’ll discuss the tactics I’ve seen
airlines adopting to improve profit via payment
management, as well as the implementation
approaches that I’ve seen work best.
© 2007 CyberSource Corporation. All rights reserved.
Page 3
Optimizing Airline Profits
Strategies to Optimize Payment Operations
The airlines I’ve worked with are focusing on
building out their direct channels (especially their
own websites) to lower distribution costs and
increase revenue. According to a study by Edgar,
Dunn & Company 1 , airlines can reduce their
payment-related expenses by up to 25% by
optimizing the way payments are managed.
If you think of payments as an entire process,
where every transaction goes through a stage in
a “payment pipeline”, you can identify broad
areas to optimize profits, from the initial
reservation request to the funding and
reconciliation of a transaction. The airlines I’ve
worked with have been scrutinizing how they
currently manage online payments using this
pipeline framework, and devising strategies to
streamline payment operations.
ADDING NEW PAYMENT TYPES
Adding new payment types kills two birds with
one stone. First, adding new payment types
lowers distribution costs because transaction
fees for alternative payment types are generally
lower than credit cards. According to the same
Edgar Dunn study, each ticket purchased by
credit card costs an airline $12.50 in processing,
a sizable bite from the bottom line. In contrast,
most bank transfers (for example) charge a
lower fee per transaction, versus a percentage of
the transaction (like credit cards).
Second, adding new payment types can increase
bookings by addressing customers that prefer to
pay using methods other than credit cards – both
here and abroad. This is especially significant for
international markets, where customers may
prefer to pay online with bank transfers, direct
debit, or some other form of payment.
Payment Types Most Airlines Consider
The decision to add a new payment type
depends on many factors (customer payment
preference or transaction fees, for example), and
the benefits should be weighed against the
implementation costs (back-office integration,
additional overhead, etc.). The studies I’ve seen
indicate an average lift of 14% in online sales
conversion when three or more payment types
are accepted (cards, Bill Me Later, eCheck, etc.).
1
Burg, Pascal, “Next Frontier for Airlines: Reducing the
$1.5 Billion Expense in Payments,” Edgar, Dunn, &
Company, February 2005.
© 2007 CyberSource Corporation. All rights reserved.
Next to credit cards, PayPal is the most popular
online payment method in North America 2 . With
PayPal, customers pay directly using their email
address and PayPal password. Funds are sent
directly from either the customer’s bank account
or credit card. Recently, Northwest Airlines,
Midwest Airlines and Southwest Airlines have
added PayPal as a payment method.
One payment type that has attracted several
airlines is Bill Me Later, an instant credit account
that enables customers to purchase goods and
services online without using a credit card.
AirTran Airways, Continental Airlines, JetBlue,
and USAirways all accept Bill Me Later.
Bank transfers, though used rarely in the United
States, are popular in both Europe and Asia. If
you have international websites with online
booking, this may be an ideal way to expand
your market. For example, nearly two-thirds of
Germans pay online using direct debit; Chinese
customers use debit cards to initiate online bank
transfers for e-commerce. With online bank
transfers, customers are routed to their bank for
payment authorization before being returned to
the airline’s website to complete the reservation.
In general, you will most likely see lower
transaction fees with all of these payment types
versus credit cards. But you can lower your card
processing
fees
by
implementing
payer
authentication services such as Verified by Visa,
MasterCard SecureCode, and JCB J/Secure.
Some card associations offer lower discount
rates to encourage payer authentication adoption,
in an effort to fight online fraud. Furthermore, if
you have a UK presence, MasterCard SecureCode
is mandatory for all Maestro card transactions.
With all of these options however, I find most
airlines have difficulty adding new payment types
because of rigid legacy systems that can only
support credit card transactions. Passing relevant
information to the PNR, as well as potential
changes
in
authorization
and
settlement
processes (and the associated reconciliation
systems) requires thinking about your system
architecture differently and building to that with
each enhancement you make. I offer suggestions
for this later in this paper.
2
AC Nielsen 2005
Page 4
Optimizing Airline Profits
AUTOMATING THE BOOKING REVIEW PROCESS
(FRAUD MANAGEMENT)
Though many airlines do not have a “fraud
problem” per se, nearly all have a fraud
management problem—the way in which fraud is
managed is typically costly, human intensive,
does not scale, and results in rejection of valid
bookings or needlessly compromises inventory.
As airlines pursue strategies to take more
business direct and optimize payment operations,
more emphasis is being placed on automating
and tuning more of the screening process. The
goal is to streamline the review process to
achieve a lower valid reservation rejection rate
and better inventory control, so analyst time is
focused on reviewing only those reservations
that truly require review.
To illustrate the business issues involved,
consider the customer experience during the
reservation booking process. If fraud is not
detected, or you reject a valid booking, you lose
revenue. Also, each time you suspend a booking
for review you tie-up inventory. If the suspended
reservation is determined to be fraudulent, the
seat must be released and is often sold at a
distressed price, thus forfeiting revenue. This
places profits at risk and reduces scalability.
To address these types of issues, the trend is to
implement automated screening and case
management systems, including rule systems
that leverage airline PNR data and can easily
adapt to changes in fraud patterns and schemes.
Many airlines have also implemented Verified by
Visa
and
MasterCard
SecureCode
payer
authentication systems as a first step towards
better managing fraud.
To see why your peers are taking this action, it is
helpful to understand common fraud schemes,
and the pros and cons of various tools and
approaches that might be applied to managing
that risk.
Common Fraud Schemes Against Airlines
I’ve seen an emerging pattern where fraudsters
book a reservation with a child or infant (a lap
child), and then cancel the infant seat. This skirts
some typical fraud checks, since the passenger
profile check has typically focused on singlepaying customers. Yet often fraud and suspicious
person checks are the same.
© 2007 CyberSource Corporation. All rights reserved.
I’ve also seen a dramatic rise in fraud with airline
“gift card” programs. With gift cards, a third
party is typically buying for someone else (i.e.,
parents buy gift cards for their college-bound son
to travel home for the holidays). The traveler
and purchaser are almost never the same.
Traditionally valid airline checks (reviewing time
to departure, destination codes, etc.) aren’t tied
to the initial credit card transaction, since the
purchaser and the traveler are different. The
traveler may not have even booked any flights.
In practice, fraud checks should be linked to the
gift card, but in my experience, gift cards are
processed differently, where the sophisticated
checks normally used with credit cards are not in
place. So, gift cards can be purchased using
stolen credit card information, without the
traveler being linked to the purchaser.
Certain types of promotional packages are also
heavily targeted by fraudsters. For example,
“winter bird” flights to/from Jamaica are very
popular. Some fraudsters are even known to
have secured frequent flyer numbers to help
legitimize their reservation.
These fraud schemes cannot be effectively
addressed using a single tool, or even the array
of tools supplied by card companies. Some
require use of PNR data to accurately detect
fraud and more efficient case management
systems to speed review of the bookings that
have been suspended. Here’s a review of the
tools my clients are using and considering.
Fraud Screening Techniques
The industry trend is to lift conversion rates and
streamline the review process on inbound
reservation requests, so that fewer reservations
are pulled for manual review. Due to the nature
of the airline business, there are several data
elements and a combination of factors that can
be used to uniquely assess the risk of a cardnot-present (CNP) transaction. The most
common of these screening techniques are the
fraud tools supplied by the card associations.
Address verification service (AVS), available in
the U.S., Canada, and UK, enables the airline to
verify the billing address to the address on file at
the issuer. AVS availability in Canada and the UK
are more recent, so the reliability and accuracy
of the service are still being enhanced.
Page 5
Optimizing Airline Profits
While helpful, an AVS match is not necessarily an
indicator of a valid account, as the fraudster
likely already has the correct billing information.
Similarly, an AVS mismatch may not accurately
point to fraud; statistically, if you relied only on
AVS “match” results, you would reject 160,000
valid bookings out of every million processed.
Another fraud check uses the card verification
number (CVN, CVC2, CVV2, CID) typically found
on the signature line on the back of a credit card.
CVN data is generally available worldwide, and is
more reliable than AVS. Also, CVN data is not
publicly available (unlike address records) and is
more stable – the CVN stays the same even if
the customer moves. While CVN is more reliable
than AVS, it still carries false positive and false
negative risks as well.
The card brand fraud tool gaining the most
recent
interest
from
airlines
is
payer
authentication (Verified by Visa, MasterCard
SecureCode,
and
JCB
J/Secure).
Payer
authentication is a good foundational tool to help
address online fraud, and several of my clients
have already implemented it.
Depending on the card scheme, and the region
and program administration, you can benefit
from complete protection against fraud loss and
interchange discounts. However, you are still
subject to monitoring against the actual fraud
rate, so you must still aggressively manage fraud.
Payer authentication is not a silver bullet though.
I’ve seen examples where fraudsters move from
the online channel (with payer authentication
implemented) to call centers, where they can
book reservations with a stolen card. I’ve also
seen situations where fraudsters can literally buy
and sell identities, complete with payer
authentication passwords.
Beyond these card-supplied tools, my clients are
also using other validation services such as
geolocation, a technique that compares the
purchaser’s location, as indicated by their IP
address, to booking information like the bill-to
address. Such a test can be helpful, but the
typical (i.e., “good”) behavior of an airline
customer can minimize its effectiveness. For
example, if customers book reservations outside
their home billing address (i.e., from a remote
location while traveling), such a test would result
in a valid booking rejection.
© 2007 CyberSource Corporation. All rights reserved.
For all the reasons above, I’ve found airlines
need to use airline-specific data (in conjunction
with these other tools) to effectively screen for
fraud and minimize rejection of valid bookings.
Such data spans PNR and reservation data,
including: passenger profiles, time to departure
(i.e., checking if departure time is less than
twenty-four hours away), and purchasing
behavior associated with airport destination and
departure codes (as specific routes and/or codes
exhibit more risk than others).
To illustrate how this is used, one Eastern
European airline that I worked with experienced
a high fraud rate on routes to London Heathrow
and Gatwick, with passengers booking within 48
hours to departure time, typically flying during
the weekends. The ability to build automated
screening rules based on the reservation data
was effective in detecting this fraud scheme.
I’ve also found that incorporating passenger
frequent flyer data can significantly improve
fraud screening. Frequent flyer numbers, length
of enrollment, and number of site visits (for
example) help to validate the identity of the
passenger.
Implementing Fraud Management Solutions
As discussed above, effective airline fraud checks
now rely on gathering reservation data and
comparing it to financial and customer data.
Depending on your IT environment, this can be
difficult to obtain. You will need to consider how
to pull or pass information among your various
systems—including GDS systems which house
some of the data required.
I recommend creating a middleware layer to pull
legacy system data and GDS data together, as
an end-state vision (see last section). This
approach has proven effective in several of my
clients’ environments.
While this end-state vision is optimal, most of
my clients start with implementing payer
authentication services and a rules system that
can grow over time, as more PNR and
reservation data can be provided. Supplementing
this with a case management system to speed
review provides the foundation for automating
fraud management. Such an approach ensures
that fewer valid reservations are rejected, less
inventory is discounted, and overhead is
minimized. It also allows you to scale more
easily as direct sales volume grows.
Page 6
Optimizing Airline Profits
AUTOMATING RECONCILIATION
As you grow direct business and take on new
payment types and currencies, reconciliation
becomes a scalability and cost issue. For this
reason, airlines that are focusing on payment
management include reconciliation automation
as a key optimization strategy.
The typical reconciliation operation involves
manually pulling reports from your systems and
auditing against the reports sent by banks and
processors. It’s slow-going and difficult to tie to
the original transaction, since reports lack
common reference data and reporting formats.
It becomes a bottleneck with unnecessary
overhead (see top diagram).
As volumes grow and new payment types,
currencies and markets are added, automated
reconciliation
provides
scalability
without
increasing costs. It also provides a holistic view
of transaction funding status and actual revenue.
To simplify reconciliation and chargebacks in a
typical “manual” setup, all of the payment
information would have to pass from one system
to the next. So, when processor reports are
received, they can be matched to your systems.
For instance, flight information, billing, and other
data captured on your online reservation would
flow to the reservation system/GDS to create the
PNR. All the information would be appended to
the PNR, which would then be passed to your
financial systems. This imposes a large load on
every transaction and reservation record
generated – and this may not even be possible
to do with legacy systems.
A more effective approach, and one that many
airlines are adopting, is to centralize all of the
payment information in a separate system. I’ll
discuss what this looks like from a technical
perspective later on, but in a nutshell, this
repository holds both the reservation payment
data and the reports from banks and processors
on payment activity.
Your PNR can be tied directly to bank/processor
reports by a common reference number. So you
can automate reconciliation and chargeback
management, since the repository holds all the
necessary data. The only thing handled manually
are the exceptions (see bottom diagram).
Instead of passing full payment data from one
system to the next as you would in a manual
configuration, you simply pass a payment
reference token back and forth among your
financial and reservation systems (which also
enhances security and streamlines dataflow).
This limits the amount of data being passed
along to each system, and minimize impact on
transaction processing times.
The overall impact of this strategy is that it
makes operations more scalable and decreases
overhead costs.
Typical Manual Reconciliation Process
1
2
3
4
5
6
Log-on
to Site
Download
Report(s)
Update
Tracking
Tools
Sort and
Assign
Gather
Reservation
Data
Review
for Action
7
8
Take Action Update Reservation
for Each
System and
Reconciliation
Case
Tools
Streamlined Reconciliation Process
1
2
Review and
Reconcile
Exceptions
Update
Exceptions
Using a Single
System
Automated
© 2007 CyberSource Corporation. All rights reserved.
Page 7
Optimizing Airline Profits
STREAMLINING PAYMENT SECURITY
COMPLIANCE
Headlines about stolen customer data at leading
companies, coupled with the cost of maintaining
PCI compliance have compelled most of my
airline clients to be more vigilant in how they
manage, protect, and store customer payment
information.
While PCI compliance is mandatory for airlines,
according to a Deloitte study 3 , nearly 24% of
airline internal auditors were not aware of new
PCI compliance standards and how that would
impact their business. By strengthening security
practices around payment information, you can
mitigate customer concern about buying tickets
online, as well as streamline PCI compliance. But
ensuring and monitoring PCI compliance, as well
as staying current on payment security practices
and identifying security gaps, can be a costly
endeavor.
To address this, I’ve seen airlines move towards
centralizing their payment systems to minimize
the number of places where payment data is
stored. Even more notable is the adoption of a
new processing paradigm: “data out” payment
models that remove as much payment data as
possible from their network.
All airlines use SSL to secure the payment
transmission between customers and themselves
during the reservation booking process, as well
as between themselves and their payment
processor (or GDS). But securing the connection
is generally not the issue – it’s the transmission,
processing and storage of the payment data. In
the standard SSL model, you bear all of the risk
of handling payment data. A security breach
could make you liable for heavy penalties, not to
mention bad publicity and loss of customer
confidence and sales.
One of the most straightforward ways to reduce
the risk of handling payment data is to simply
not store it. By moving “data out”, you can
remove nearly all of the cost, complexity and risk
of securing payment data and maintaining
compliance. This model does not remove any
functionality or flexibility. Implementation of this
token-based approach lets you transact, issue
credits, etc. just as you would if you stored the
data onsite.
3
“Airline Fraud Survey 2006”, Deloitte, April 2007
© 2007 CyberSource Corporation. All rights reserved.
“Data Out” Models
Airline does not
store payment data.
Payment Network
Airline does not
handle nor store payment data.
Payment Network
Secure Storage Facility
Payment
Data
Airline Systems
Payment
Data
PAY
Airline Systems
Payment Form
Payment
Data
Handling
PAY
Reservation Page
Payment
Data
Storage
Reservation Page
Payment
Data
Storage
Customer
Web-based Secure Storage
With web-based services, airlines are avoiding
storing virtually all payment or related personal
data. Instead of storing payment information on
your systems, you would store it in PCIcompliant data centers within the banking and
processing network (diagram on left).
Your reservation system transmits the passenger
payment data to the banking network at the time
of initial payment acceptance, and then receives
a response and “payment token” to be used as a
reference for the transaction for future billing
actions. All you store is the secure token – which
is worthless to hackers.
Hosted Payment Acceptance
To accept online payments without handling
payment data, you can use payment fields
hosted by and residing within the banking and
processing network, served up as part of your
online booking process. With this approach,
you’d never handle nor store payment data
(diagram on right). This is implemented in a
variety of ways:
1.
As processor-hosted payment fields residing
within your own online reservation page;
2.
As a fully hosted payment page with the look
and feel of your online reservation page;
3.
As a link to a payment page hosted by the
processor, carrying the processor’s brand.
These secure storage and hosted acceptance
solutions can be implemented using the
approaches I discuss in the next section.
Page 8
Optimizing Airline Profits
Implementation Approach
From a technical perspective, you can start
addressing a specific payment need in the near
term by implementing it as a one-off solution.
But ultimately a long-term scalable and flexible
architecture is the ideal approach.
Reservations
Internet
All of the alternatives I’ve outlined earlier can be
implemented standalone, or can be added to a
centralized payment management platform. In
fact, many of the airlines I’ve worked with use a
phased approach, starting with point solutions
(i.e., adding payer authentication) and moving
towards a fully centralized payment management
infrastructure.
Payment Services
CENTRALIZED
PAYMENT
MANAGEMENT
PLATFORM
This architecture utilizes a centralized payment
management platform, which integrates with and
works alongside GDSs and legacy systems.
GDS/
Reservation
Systems
PHASE I: POINT SOLUTION IMPLEMENTATION
Most of my airline clients start by quickly
implementing point solutions using an API that
interfaces to external services for the specific
capabilities desired. The advantage to doing this
is that you can start realizing operational gains
right away. However, I recommend that you
keep a long-term architecture in mind as you
build capabilities.
While initially efficient, prudent and pragmatic,
implementing point solutions is not the best long
term approach. With point solutions, adding new
capabilities
requires
building
separate
connections to each and every system impacted.
For instance, to add payer authentication, you’d
build connections to the front-end web
application, the GDS or other reservation system,
financial systems, etc. If you add new payment
features later on, you’ll need to do the same
thing. So you’ll have multiple connections to
manage and maintain, which can become
operationally quite complex.
GOAL: CENTRALIZED PAYMENT MANAGEMENT
As I’ve shown in the diagram, you can quickly
add new payment features with minimal impact
to your existing systems with a centralized
payment management platform. This platform
interfaces with multiple processors, payment
channels and systems, managing the workflow
among them. It is architected so that it can
interface with systems using proprietary APIs,
MQ-style messaging, Web services, HTTP posts
and even file transfers.
© 2007 CyberSource Corporation. All rights reserved.
Call Center
Banks/Processors
New Payment Types
Fraud Services
More…
Financial
Systems
A flexible IT architecture to quickly and easily add new
payment services to address current and future needs.
You can quickly add new payment services with
this architecture:
•
Adding new payment types – the platform
can call third-party services for PayPal, Bill
Me Later, bank transfers and more. Adding
payment types or currencies becomes more
a business activity than an IT project, since
all systems are already connected to this
common platform.
•
Automating fraud screening and streamlining
reconciliation – because the platform links to
reservations and banking systems, the data
from these systems can be consolidated to
automate and streamline reconciliation,
chargeback and fraud management. It also
supports
centralized
and
hierarchically
managed operations across many subchannels, geographies or lines of business.
•
Streamlining payment security compliance –
you can connect to a secure storage service
to house sensitive payment information, and
access it when needed by passing a secure
token to and from the secure storage service
managed by the payment platform. Since
data is centrally handled, there is less to
manage and secure.
In addition, administration screens can be
serviced by this centralized platform, allowing
fraud analysts and accounting personnel to
manage and control all operations centrally
instead of interfacing with multiple disparate
systems and reports.
Page 9
Optimizing Airline Profits
CyberSource Airline Payment Management Solutions
CyberSource provides systems and services to manage ePayments throughout your entire “Payment
Pipeline™” to capture more profit in your online and call center channels. Contact us today to learn
how we can help you lower your distribution costs, streamline your payment operations, and integrate
with your systems. For details call 1-888-330-2300 or visit us online at www.cybersource.com.
Profit optimization at every
stage in the payment
pipeline.
Add New Payment Types Worldwide
Lower your distribution costs and extend your
markets globally by adding new payment types.
In addition to bank cards, CyberSource enables
you to accept alternative payment types
worldwide, including UATP, Bill Me Later, PayPal,
bank transfers, and more.
Automate Payment Fraud Management
Lower review costs, optimize inventory and gain
better
scalability
by
automating
fraud
management. The hosted Decision Management
System automatically screens reservations with
airline-specific rules created by you or a
CyberSource Fraud Analyst, minimizing manual
review and increasing booking conversion. The
portal provides access to over 100 global
validation services and tests, with case
management to help you keep track of
outstanding issues. CyberSource also offers
Verified by Visa and MasterCard SecureCode
services, providing chargeback protection and
lower discount fees from card associations.
Scale Accounting Operations
Identify opportunities to capture additional
payment and reduce burden on your staff with
automated
reconciliation
and
streamlined
chargeback management. Our Professional
Services team integrates booking, banking and
payment processing data, for easier scaling and
less manual work.
© 2007 CyberSource Corporation. All rights reserved.
Streamline Payment Security Compliance
Manage payments without storing data using
Secure Storage; accept and transact payments
using CyberSource-hosted payment fields within
your online booking application. We also provide
PCI consulting and remediation services, and
complimentary PCI vulnerability scanning to help
you maintain PCI compliance.
Scale Payment Capabilities on Demand
For additional operating gains, we can provide
technology and integration to centralize payment
across your direct channels and between frontend and back-office systems. Only CyberSource
combines deep airline industry experience with
proven payment processing knowledge.
Simplify Implementation and Management:
Airline Savvy Professional Services Team
A single integration to CyberSource provides
access to all services, including multiple
processors worldwide. Our solutions are available
modularly or as a fully centralized payment
system, and all are available as fully outsourced
managed services, with performance guarantees.
CyberSource Professional Services has worked
closely with leaders in the airline industry to
integrate multiple payment solutions. We reduce
implementation headaches by working hand in
hand with airline accounting and finance groups
to minimize impact on back-office systems.
Page 10
About CyberSource
CyberSource Corporation is the world’s first payment management company. CyberSource solutions enable
electronic payment processing for Web, call center, and POS environments. CyberSource also offers industry
leading risk management solutions for merchants accepting card-not-present transactions. CyberSource
Professional Services designs, integrates, and optimizes commerce transaction processing systems. Approximately
20,000 businesses use CyberSource solutions, including half the companies comprising the Dow Jones Industrial
Average. The company is headquartered in Mountain View, California, and has sales and service offices in Japan,
the United Kingdom, and other locations in the United States.
© 2007 CyberSource Corporation. All rights reserved.
© 2007 CyberSource Corporation. All rights reserved.
`