Fraud is rapidly increasing in the travel industry and airlines are highly exposed due to the nature of transactions involved (remote sales, large amounts, mobile fraudster population).
IATA has responded to industry requests to support efforts and combat fraud as we are committed to helping the industry in this important area. We aim to facilitate discussions, share best practices and ease access to fraud prevention resources.
Elevating the Airline Industry as the World Model for Fraud Prevention
Airlines pay approximately US $7 billion a year to collect payment for their sales. Most of this amount represents the cost of collecting card payments. In addition, airline card sales are exposed to fraud which is estimated at close to US $1 billion per year.
As a result, the Industry Fraud Prevention (IFP) project has been designed to better assess airline fraud risk in the areas of card payments, frequent flyer programs, and cyber fraud. The first phase of the project has focused on the "Card-Not-Present" (CNP) aspects of the airlines' direct sales transactions and some basic activities in the area of frequent flyer programs.
Bring Industry Partners together to implement Common Solutions in order to Protect Revenue.
How did it start?
In 2015, IATA surveyed or interviewed 44 airlines to understand the risk of Payment Fraud related to airlines' direct sales for the specific "Card-Not-Present" aspects with the associated cyber/IT issues. The results have been presented to the Financial Committee (FinCom), an airline working group composed of the CFOs from IATA Member Airlines.
The outcome & recommendations have been endorsed and the strategic areas for action have been identified.
In 2016, the Industry Fraud Prevention project (IFP) is laying the foundation of Fraud Prevention at Industry level. The project aims to establish best practices and set standards for the Industry in order to support fraud prevention, detection and loss reduction. Furthermore it will provide the means to build multi-disciplinary fraud knowledge and experience at the industry level through education and benchmarking in order to improve industry performance.
Another strategic area is about engaging card schemes and large issuing banks for collaboration, and developing partnerships with service providers in fraud detection and prevention. The project will allow strengthening the communication and cooperation within the payment supply chain in a flexible manner, taking market specifics into account while supporting the implementation of common anti-fraud solutions.
For 2017 and onwards: IFP will expand to Fraud Management, becoming operational within IATA.
IFP Latest News
Remain up-to-date with what is happening in the world of Industry Fraud Prevention.
White Paper - Fraud in the airline industry
Payment fraud costs the airline industry an estimated USD1 billion annually. This new IATA White Waper (pdf) shows how industry collaboration can reduce crime as well as costs.
ACTA and the Canadian Travel Fraud Prevention Group (CTFPG)
On November 22, 2016 ACTA attended the Canadian Travel Fraud Prevention Group (CTFPG) meeting in Montreal hosted at the IATA headquarters. ACTA is recognized as a partner of IATA on this fraud prevention group initiative. The purpose of the CTFPG is to bring Industry Partners together to implement common solutions and best practices to protect revenue. The discussions were at a high level given that the members of the committee use a variety of tools and processes to fight fraud. Read more.
The Virtuous Cycle of Fraud Prevention
We facilitate four crucial steps which center around people, policies, processes, tools and data - each represent critical action to be taken for identifying and preventing fraud.
- Measure - Each airline to benchmark its fraud performance vs. the airline industry and other relevant industries
- Prevent - Efficient use of tools provided by card schemes at time of transaction
- Detect - Identify suspected fraud at time of transaction a posteriori
- React - Review suspect transactions and complete or cancel those transactions.
A use case for the Industry
With the IFP Project, IATA aims to establish an industry fraud prevention strategy. However, there still are few important challenges to overcome, such as:
- Absence of industry benchmark
- Uneven participation in the Airline Days of Action (DoA)
- High disparity in Fraud Prevention performance between the airlines
- Lack of industry consensus with regards to fraud prevention supported tools
Furthermore, although the airline industry is one of the most exposed to fraud by the nature of its transactions (remote sales, large amounts, mobile fraudster population), its performance against fraud is not measured consistently and fraud is often related to bigger criminal activities. Thus, the need for a coordinated action becomes obvious.
Different initiatives and resources are already in place and provided by different parties.
Days of Action (DOA)
A key international initiative led by Europol and connecting Law Enforcement Authorities (LEA) with global stakeholders. IATA is working closely together with all involved parties. Information on previous DOAs can be found below:
IATA Supported Tools
IATA offers some supporting tools specifically tailored for airline needs (IATA Perseuss) and cooperates in 3 Regional Fraud Prevention groups (Europe, Asia Pacific, LATAM). In 2016, we have added Canada. Thanks to these tools, IATA Member airlines individually attempt to measure their fraud performance and benchmark.
All you need to prevent Fraud
- Card Payment Policies and Fraud Prevention
Understand payment card transactions from authorization to settlement and learn about fraud prevention, remediation and why Payment Card Industry Data Security Standard (PCI DSS) is an important step in protecting cardholder data.Visit our dedicated Training page for more information.
IATA Supported Products
- IATA Perseuss - Fraud Information sharing service
Airline ticket sales are an attractive area for fraudsters. Card payment fraud is estimated to amount to over US $1 billion a year in the airline industry. IATA Perseuss is a web-based community allowing airlines to cooperate, identify and fight fraudulent schemes.
- Thanks to Ethoca's global merchant-issue collaboration network, Ethoca Alerts deliver cardholder-confirmed fraud intelligence to its subscribers. Information is provided in days, hours or even minutes rather than weeks as it currently happens through the regular chargeback process. This service provides a unique window of opportunities to stop transactions, cancel bookings, and resell tickets to good customers.
Report a fraudulent e-mail or check the validity of an e-mail
Industry-wide events - One common Goal
Several IFP recommended events are taking place in the coming months, such as conferences, industry meetings and workshops. Click on each event to have more information about it.
- Aviation Show MEASA by Terrapin
- IATA Fraud Prevention Strategic Partners Annual Briefing Day (pdf) by IATA
- Aviation Festival 2020 Asia by Terrapin, POSTPONED to 22-23 June 2021 - Singapore
- MoneyLive: Payments & Banking 2020 by MoneyLive
- Aviation Festival 2020 Americas by Terrapin, RESCHEDULED to 15-16 October 2020 - Miami, USA
- IATA Frequent Flyer Fraud Programs Fraud Prevention Workshop - CANCELED
- Aviation Festival 2020 Europe by Terrapin, 23-25 September 2020, Online
- IATA Global Fraud Prevention Event - CANCELED
- IATA World Financial Symposium - POSTPONED
Will IATA Industry Memos distributed via email only cover indirect sales (IATA agents)?
No, we aim to share information and good practices about general payment issues that apply to all sales, both indirect and direct. As an example, Resolution 890 demands that Agents collect CVV2 for first time sales to unknown customers and, in order to protect themselves, refuse to complete the transaction on an authorization approved despite a CVV2 mismatch. Airlines should verify that their GDS’s support the feature as it protects both the airline and the agent.
The authorizations requests go through GDS’s for IATA Agent transactions. As an Airline, should we contact GDS’s beside our acquirers?
Yes, you should ask GDS’s if they support CVV2 in the authorization request, AND if they pass on the CVV2 response code, alongside the approval code, in the authorization response they send to the Agent.
Airlines are required to take some actions based on the response received from the acquirers or processors. As an Airline, isn’t it more suitable to ask the agents and GDS’s to take instant actions in the authorization phase of transactions? In addition, will there be an action required from the agents?
Resolution 890 demands that the Agent does not complete the transaction on an approval with CVV2 mismatch. IATA is monitoring the presence of the CVVR response code in the RET files reported by the GDS’s. However we do not take further action if a sale was completed despite a CVV2 mismatch. The card fraud reports that an airline receives from its acquirers should show if there was a CVV2 mismatch. An airline should investigate when it receives a fraud chargeback if the Agent went ahead with the risky sale despite that clear warning. If the latter is confirmed, the airline should mention to the Agent it could have avoided the fraud and issued an ADM.
As an Airline and regarding CVV code, I have requested internally to get a report on the CVV data for the US market in order to identify the usage of the CVV field. I have been advised that CVV today is not a mandatory field for the Card Schemes. Is this true?
This is not exactly true, all merchants with Card Not Present (CNP) transactions are strongly invited to use CVV2 as part of the portfolio of fraud prevention measures they deploy. All cards in issue are expected to carry a CVV2. The only exceptions are lodged cards, where the Travel Agent usually knows the person making the booking.
It is very hard for us as an Airline to impose something that must come from card schemes. We definitely need card schemes and industry bodies (IATA, ARC) to establish the CVV field as mandatory.
Resolution 890 already stipulates that the Agent should not complete the transaction on an approval with CVV2 mismatch. Some issuers will not send an approval code with a CVV mismatch but unfortunately this is not a policy that the card schemes are ready to endorse globally.
What initiatives are resulting from the distribution of the IATA industry memos?
IATA is monitoring the presence rate of CVVR (CVV2 response code) in RET files in order to evaluate GDS performance in supporting it. We would like to build an industry fraud benchmark in partnership with the international card schemes in order to provide airlines with the ability to individually evaluate their fraud prevention performance. Part of it would hopefully show how much of the fraud is committed on an authorization approval code given despite the CVV2 mismatch.
Does IATA have standards for credit card rejects for web bookings? Where can I find these metrics?
The publication that you will find here (pdf) is specifically addressing the airline industry on this matter.
Is there any comparative data on global turnover to chargebacks within airlines?
This information does not exist today in a standardized way. The Industry Fraud Prevention initiative has undertaken actions to procure a benchmark of industry fraud, chargeback and transaction success/failure rate from the international card schemes. The CyberSource airline fraud survey, which focuses on airline Internet sales, shows some numbers.
Are there any models of ticket fraud best practice?
Please contact firstname.lastname@example.org to request a copy of the Passenger Standards Conference Recommended Practice on fraud prevention (reference RP1791e).
How does AVS (Address Verification System) work? Is there a link I should receive from VISA, MasterCard, American Express, etc. where I can enter the billing address?
No, AVS is not a link received from the card scheme, it’s a component of the authorization request you send out as a merchant. You need to contact your payment processor and your acquirer on how to support this. All airline central acquirers and global processors will of course support it.
Do we need the full credit card number for AVS?
Yes, the full card number is always part of the authorization request that will also contain AVS.
Is there a fee to use AVS?
IATA is not aware of any card scheme fee related to supporting AVS.