From January to March 2009, the number of fraud related crimes recorded by the police reached 397,000*. These offences range from password hacking – as seen with last year’s hotmail attacks – to identity theft and credit card fraud, all of which can prove detrimental to a brand’s finances and reputation.

The snappily-titled Payment Card Industry Data Security Standard (PCI) is a worldwide security standard specifically created to help organisations process card payments safely and prevent credit card fraud, by increasing controls around data and its exposure to compromise.

National Express, one of the world’s leading international public transport groups with over one billion passengers using its services in the UK, North America and Spain, therefore had to review its existing payments system to ensure credit card data was being securely processed throughout the company, and worked with payments security specialist, The Logic Group to do so.

Fastening the payment safety belt
Under The Logic Group’s guidance, National Express opted to implement an outsourced solution. The PCI standard is mandated by the acquiring banks and card schemes – meaning significant fines for non-compliance – something that many companies are now beginning to discover.  And by outsourcing all of its card data to a secure and automatically compliant domain National Express instantly reduced the scope for meeting the many prescriptive demands of the standard. Protecting reputation was also paramount – as the brand would inevitably suffer in the event of a major card data breach. Not discounting the cost of potential business downtime and direct losses via fraudulent activity are factored into the card data protection equation.

A smooth ride
Martin Blackburn, director IT systems development at National Express comments, “Because PCI is a relatively new standard it was essential that we rapidly implemented a managed payments service that would not only allow us to store sensitive payment details off site and therefore reduce our scope for compliance, but also avoided the need to make application changes as the legislation evolves over time.”

Reputational damage… and worse
If the direct costs are not enough to give any brand that processes and holds card data nightmares, the loss of customer confidence and subsequent reduction in sales and profits can only exacerbate them. Customer confidence can be fragile and people will vote with their feet if they believe that a merchant does not provide security for their payment details. And ‘payment details’ can mean a mind-boggling array of different things: from call recordings where card details have been provided over the phone, to till receipts.

The first priority was to remove the Primary Account Numbers (PAN) – the full card number of its customers’ credit and debit cards – from the National Express ‘environment’ onto The Logic Group’s managed service. This included identifying where the card holder data was stored and where it flowed through the organisation, following cardholder data from point of entry into the National Express systems and ascertaining all the uses of the data. This made it possible to build a complete picture of the data flow and its static locations.

Another key milestone in the implementation was establishing and in turn reducing the impact on the National Express refunds policy and process, with the onus on ensuring that any changes to the business process were designed to keep things as simple for customers as possible.

The Business Impact
The implementation, which was split into two phases to achieve early delivery, was cost neutral – something which was a key factor for National Express. Notwithstanding the cost savings to be gained from a combination of increased card payments security, protection of brand reputation, reductions in the direct impact on the bottom line of payment fraud and fines and other associated costs for non-compliance with the prescriptive PCI standard. Blackburn comments, “We are already seeing a reduction in operating costs. But most importantly a more secure service provision for our business is now in place.”

Mark is Marketing Director of the Logic Group.
*Government Office of National Statistics