Securing payment processing across the globe...and across time

When considering the height of information system technology, thoughts of car rental agencies in the Australia Pacific region seldom come to mind. And Graeme Andrew would agree. However, he ended up thinking a lot about them after walking into one more than a dozen years ago because they had asked his company, GMH Systems, to develop an online solution to manage the business.

After learning some of the complexities behind the entire rental process, he began to understand the scope of the project that he and his team faced. In addition, he explained that “we found ourselves standing before an industry niche with tremendous growth potential but that would be certain to invite widespread fraud.” This was because, in addition to local rental customers in Australia, travelers from the world over would be entering payment information for a car to use when later visiting the country.

Opening the door for growth invites parallel growth in fraud

Graeme was right on both the prospects for growth for an online rental solution as well as for a corresponding growth in online payment fraud.

Global Car Rental Market
Figure 1: Data courtesy

Dramatic growth in car rental software

Today, global adoption of car rental management software is so strong that worldwide revenues for the industry niche are expected to reach $214 billion by 20271

Credit Card Fraud in the US
Figure 2: Image courtesy

Frightening growth in payment industry fraud

On the other hand, a recent report stated that more than three out of four credit card merchants have been the victim of fraud including stolen cards, counterfeit cards, card skimming, employee fraud, chargeback fraud, return fraud or gift card fraud. Overall, more than one in four online sales (27%) turn out to be fraudulent2. If those statistics hold true for the vehicle rental industry, a massive risk has indeed developed.

Recurring and unforeseen charges

As the development process geared up, things became even more challenging:

Recurring Charges

In addition to the expected rental customers such as locals needing a car or truck here and there or domestic and international travelers visiting the region, some customers needed regular, repeat use of vehicles and some required long term vehicle leases; circumstances in which the rental agency needed to charge credit cards on a repeat basis and even on an ongoing regular, periodic basis.

Unforeseen Charges

Other customers who managed to get traffic violations or who passed through tolls without paying resulted in unexpected charges showing up after the car was returned. So, like the recurring charges described above, the credit cards in these cases had to be charged again, sometimes long after the renter has flown home.

As a result of these issues, customer payment information would have to be stored for later use; a fact that would expose both every client rental agency – as well as every single rental customer – to significant financial risk. Graeme and his team realized that they had a problem to solve. “As the project moved forward, and while we had auditors working with us to prepare for PCI compliance, we kept searching for a way to remove the risk of storing payment data. It was those auditors who pushed us towards tokenization which is how we landed in talks with Ray Côté and Auric Systems.”

Sensitive data is obscured
Figure 3: Sensitive data is obscured

Storing payment information without storing payment information

Ray and his team demonstrated how the AuricVault® Tokenization services would enable GMH Systems clients to store payment-related data without storing the actual, readable data, thus removing risk from the rental process. This is accomplished through the systems’ ability to automatically convert sensitive data to unique token IDs, by removing sensitive data from client servers, and by encrypting data that is then stored at two geographically separated remote facilities. In effect, what he did was to shift responsibility for the encryption, tokenization and storage of sensitive data to the AuricVault service.

As a significant added value, these services can reduce the PCI footprint. Of the 12 main and 250 sub PCI DSS 3.2 requirements, Auric Systems International takes responsibility for 255 of them. The remaining 7 have “shared” responsibilities when utilized for protecting sensitive data in a PCI compliant manner.

Rental Car Manager
Figure 4: Rental Car Manager and the AuricVault® service protect sensitive information

The Results

Now all these years later, rental agencies throughout the Australia Pacific region, North America and even Europe use the software-as-a-service (SaaS) solution Rental Car Manager developed by GMH Systems. As Graeme explained, “it enables rental operators in the global travel industry to connect their application through our API’s resulting in a solution that covers everything from reserving online to picking up a car. We pretty much handle it all.”

Indeed, when you rent a car, truck, camper, RV, or motorcycle to use while Down Under – or even further afield – the chances are high that your payment data is being processed and protected by systems utilizing Rental Car Manager and the AuricVault service. And don’t think that, just because you flew home to some point on the other side of the globe, the traffic ticket you got while cruising the dramatic east coast of Australia won’t result in a charge to your card even if the rental agency did not get the ticket until months later.

Story written by Dirk A. D. Smith, the founder of Landfall Research which specializes in the research, analysis, writing and presentation/publication of complex technical knowledge.

Have Questions?

Contact Us

1,000 character limit.

By submitting your name, email address, phone number, and message, you are permitting us to contact you by these means in response to your inquiry or feedback. You also acknowledge that you have read our Privacy Statement and that you consent to our processing data in accordance with it.