Fraud is rapidly increasing in the travel industry and airlines are highly exposed due to the nature of transactions involved (remote sales, large amounts, mobile fraudster population).
IATA has responded to industry requests to support efforts and combat fraud as we are committed to helping the industry in this important area. We aim to facilitate discussions, share best practices and ease access to fraud prevention resources.
Elevating the Airline Industry as the World Model for Fraud Prevention
Airlines pay approximately US $10 billion a year to collect payment for their sales. Most of this amount represents the cost of collecting card payments. In addition, airline card sales are exposed to fraud which is estimated at close to US $1 billion per year.
The Industry Fraud Prevention (IFP) project has been designed to better assess airline fraud risk in the areas of card payments, frequent flyer programs, and cyber fraud. The project has focused on the "Card-Not-Present" (CNP) aspects of the airlines' direct sales transactions and some basic activities in the area of frequent flyer programs.
White Paper - Fraud in the airline industry
Payment fraud costs the airline industry an estimated USD1 billion annually. This IATA White Paper (pdf) shows how industry collaboration can reduce crime as well as costs.
Bringing industry partners together to implement common solutions to protect revenue
The Industry Fraud Prevention project (IFP) laid the foundation of Fraud Prevention at Industry level. The project establishes best practices and set standards for the Industry in order to support fraud prevention, detection and loss reduction. Furthermore it provides the means to build multi-disciplinary fraud knowledge and experience at the industry level through education and benchmarking in order to improve industry performance.
Another strategic area is about engaging card schemes for collaboration, and developing partnerships with service providers in fraud detection and prevention.
The Virtuous Cycle of Fraud Prevention
We facilitate four crucial steps which center around people, policies, processes, tools and data - each represent critical action to be taken for identifying and preventing fraud.
- Measure - Each airline to benchmark its fraud performance vs. the airline industry and other relevant industries
- Prevent - Efficient use of tools provided by card schemes at time of transaction
- Detect - Identify suspected fraud at time of transaction a posteriori
- React - Review suspect transactions and complete or cancel those transactions.
A use case for the Industry
With the IFP Project, IATA aims to establish an industry fraud prevention strategy. However, there still are few important challenges to overcome, such as:
- Absence of industry benchmark
- Uneven participation in the Airline Days of Action (DoA)
- High disparity in Fraud Prevention performance between the airlines
- Lack of industry consensus with regards to fraud prevention supported tools
Furthermore, although the airline industry is one of the most exposed to fraud by the nature of its transactions (remote sales, large amounts, high street resale value, mobile fraudster population), its performance against fraud is not measured consistently. Also, airline fraud is often related to the commission of other and more serious offenses. Thus, the need for an industry coordinated action becomes obvious.
Different initiatives and resources are already in place and provided by different parties.
Days of Action (DOA)
A key international initiative led by Europol and which connects Law Enforcement Authorities (LEA) with all stakeholders working to prevent airine card fraud.
IATA is working closely together with all involved parties. Information on the last DOA in 2019 can be found here.
- Airline Payments: From Cards to Blockchain
Explore various payment methods, trends and opportunities for airlines and compare options and recommended strategies for payment acceptance and management, while taking into account market changes and customer needs, distribution channel optimization, cost, risk and cash flow.Visit our dedicated Training page for more information.
- IATA Perseuss - Fraud Information sharing service
Airline ticket sales are an attractive area for fraudsters. Card payment fraud is estimated to amount to over US $1 billion a year in the airline industry. IATA Perseuss is a web-based community allowing airlines to cooperate, identify and fight fraudulent schemes.
The Passenger Standards Conference Manual contains 2 Recommended Practices (RP) on fraud prevention that are accessible on request by the Manual owner:
- PSC RP 1791e Card Fraud Prevention Best Practices
- PSC RP 1791f Frequent Flier Program Fraud Prevention Best Practices
ADM management & Reduction
The Credit Card Chargebacks and Fraud Prevention section addresses how Travel Agents can protect against card chargebacks when accepting card payment on behalf of airlines. Most advice is valid and remains the same for any card accepting merchant.
Report a fraudulent e-mail or check the validity of an e-mail
- Visit our Email and Website Fraud Protection webpage for more information on how to identify fraudulent activities and report them to IATA.
Will IATA Industry Memos distributed via email only cover indirect sales (IATA agents)?
No, we aim to share information and good practices about general payment issues that apply to all sales, both indirect and direct. As an example, Resolution 890 demands that Agents collect CVV2 for first time sales to unknown customers and, in order to protect themselves, refuse to complete the transaction on an authorization approved despite a CVV2 mismatch. Airlines should verify that their GDS’s support the feature as it protects both the airline and the agent.
The authorizations requests go through GDS’s for IATA Agent transactions. As an Airline, should we contact GDS’s beside our acquirers?
Yes, you should ask GDS’s if they support CVV2 in the authorization request, AND if they pass on the CVV2 response code, alongside the approval code, in the authorization response they send to the Agent.
Airlines are required to take some actions based on the response received from the acquirers or processors. As an Airline, isn’t it more suitable to ask the agents and GDS’s to take instant actions in the authorization phase of transactions? In addition, will there be an action required from the agents?
Resolution 890 demands that the Agent does not complete the transaction on an approval with CVV2 mismatch. IATA is monitoring the presence of the CVVR response code in the RET files reported by the GDS’s. However we do not take further action if a sale was completed despite a CVV2 mismatch. The card fraud reports that an airline receives from its acquirers should show if there was a CVV2 mismatch. An airline should investigate when it receives a fraud chargeback if the Agent went ahead with the risky sale despite that clear warning. If the latter is confirmed, the airline should mention to the Agent it could have avoided the fraud and issued an ADM.
As an Airline and regarding CVV code, I have requested internally to get a report on the CVV data for the US market in order to identify the usage of the CVV field. I have been advised that CVV today is not a mandatory field for the Card Schemes. Is this true?
This is not exactly true, all merchants with Card Not Present (CNP) transactions are strongly invited to use CVV2 as part of the portfolio of fraud prevention measures they deploy. All cards in issue are expected to carry a CVV2. The only exceptions are lodged cards, where the Travel Agent usually knows the person making the booking.
It is very hard for us as an Airline to impose something that must come from card schemes. We definitely need card schemes and industry bodies (IATA, ARC) to establish the CVV field as mandatory.
Resolution 890 already stipulates that the Agent should not complete the transaction on an approval with CVV2 mismatch. Some issuers will not send an approval code with a CVV mismatch but unfortunately this is not a policy that the card schemes are ready to endorse globally.
What initiatives are resulting from the distribution of the IATA industry memos?
IATA is monitoring the presence rate of CVVR (CVV2 response code) in RET files in order to evaluate GDS performance in supporting it. We would like to build an industry fraud benchmark in partnership with the international card schemes in order to provide airlines with the ability to individually evaluate their fraud prevention performance. Part of it would hopefully show how much of the fraud is committed on an authorization approval code given despite the CVV2 mismatch.
Is there any comparative data on global turnover to chargebacks within airlines?
This information does not exist today in a standardized way. The Industry Fraud Prevention initiative has undertaken actions to procure a benchmark of industry fraud, chargeback and transaction success/failure rate from the international card schemes. The CyberSource airline fraud survey, which focuses on airline Internet sales, shows some numbers.
Are there any models of ticket fraud best practice?
Please contact firstname.lastname@example.org to request a copy of the Passenger Standards Conference Recommended Practice on fraud prevention (reference RP1791e).
How does AVS (Address Verification System) work? Is there a link I should receive from VISA, MasterCard, American Express, etc. where I can enter the billing address?
No, AVS is not a link received from the card scheme, it’s a component of the authorization request you send out as a merchant. You need to contact your payment processor and your acquirer on how to support this. All airline central acquirers and global processors will of course support it.
Do we need the full credit card number for AVS?
Yes, the full card number is always part of the authorization request that will also contain AVS.
Is there a fee to use AVS?
IATA is not aware of any card scheme fee related to supporting AVS.