6
January

AC no longer keeps credit card information

  • Was looking to update some information on my Ac profile and got this message:

    "We no longer offer our customers the ability to retain credit card information within their profile.

    We apologize for any customer service inconvenience this may cause. If you have previously saved your credit card information, please take note that the information has been deleted and that you will now have to provide this information at booking time."

    Looks like PIPEDA strikes again.


  • It's not PIPEDA, but rather PCI (Payment Card Industry) standards that Air Canada is following. As mentioned, the easiest way to comply is not to store credit card data. If it was being stored, it would have to be encrypted which is sometimes a rather difficult task (and for AC IT, they would likely butcher it so why try??).

    I think there's a distinction here that should be drawn. I'm going to assume that AC is still maintaining CC numbers, otherwise they would have no way of using your CC number as a crosscheck before allowing you to make online changes to an existing booking.

    Whether they allow you to keep CC numbers in your profile is, as other posters have pointed out, a different story.

    MMD


  • This change is not going to affect me. Given the track record of AC and AE IT depts (especially AE and the recent case of being able to see other people's AE reservations) these are two websites where I had never stored any credit card information and gave just the basic information required.


  • Looks like PIPEDA strikes again.

    I don't believe there would be any issues with AC storing your credit card information under PIPEDA, so long as you consent to it being stored and AC only uses it as directed.

    More likely, I think this is a result of the fallout from some of the recent high profile data breaches (in Canada, Winners comes to mind). There has been a fair amount of discussion of how organizations can limit their exposure to damage from such breaches, and one of the most common sense suggestions is to simply not retain any customer information that isn't really needed.


  • I don't believe there would be any issues with AC storing your credit card information under PIPEDA, so long as you consent to it being stored and AC only uses it as directed.

    More likely, I think this is a result of the fallout from some of the recent high profile data breaches (in Canada, Winners comes to mind). There has been a fair amount of discussion of how organizations can limit their exposure to damage from such breaches, and one of the most common sense suggestions is to simply not retain any customer information that isn't really needed.

    It's not PIPEDA, but rather PCI (Payment Card Industry) standards that Air Canada is following. As mentioned, the easiest way to comply is not to store credit card data. If it was being stored, it would have to be encrypted which is sometimes a rather difficult task (and for AC IT, they would likely butcher it so why try??).


  • Weren't Winners retaining CC numbers from store transactions without consent? Not quite the same thing.

    I haven't seen any other on-line merchants - Amazon, Chapters etc - take this step yet.

    You could be right, I don't remember the details. But that wasn't really the point I was getting at. The point is that there was a data breach and it reflected very poorly on the company. TD Ameritrade was hit by unauthorized spyware/malware/whatever on its servers that compromised client email addresses, the UK government lost records containing personal data relating to some social program or other, and so on and so on.

    These have all been highly public and highly embarrassing incidents for the organizations involved. The point is that companies are taking steps to minimize the costs (financial and reputation) associated with any potential data breach.

    Any company just thinking about this now is well behind the curve, IMO, but it's better late than never. For example, when PIPEDA was first implemented, Telus stopped retaining customer SIN numbers. It was a case study (literally) in a proactive approach to assessing what customer data is mission critical and what is just an accident waiting to happen.

    So now when you have to book or change a flight on your cell phone in a public place, you'll have to recite your CC number and the expiry date (and your AE number). Another advance.

    I would imagine the odds of the wrong person overhearing/intercepting your phone call with the means to cause harm with the information they hear are significantly less than the likelihood that someone tries gain access to the AC/AE database (hack attempts happen all the time, don't they?). And besides, where you make the call is, arguably, within your control. There's usually somewhere you can get to for a bit of privacy or to avoid using your cell phone.


  • I'm firmly in the camp of never storing CC info on any website.


  • +1

    The 30 seconds it takes me to type in my CC info each time is worth it for my (admittedly foolish) peace of mind.

    bawm

    I don't agree. On at least one occasion on the AC website the time it's taken me to input my CC number/info has resulted in a much higher fare than the one I was trying to buy. Maybe that's the plan.


  • It's not PIPEDA, but rather PCI (Payment Card Industry) standards that Air Canada is following. As mentioned, the easiest way to comply is not to store credit card data. If it was being stored, it would have to be encrypted which is sometimes a rather difficult task (and for AC IT, they would likely butcher it so why try??).

    +1 - was gonna say the same thing, PCI is the more likely culprit.


  • This change is not going to affect me. Given the track record of AC and AE IT depts (especially AE and the recent case of being able to see other people's AE reservations) these are two websites where I had never stored any credit card information and gave just the basic information required.

    +1

    The 30 seconds it takes me to type in my CC info each time is worth it for my (admittedly foolish) peace of mind.

    bawm


  • More likely, I think this is a result of the fallout from some of the recent high profile data breaches (in Canada, Winners comes to mind).

    Weren't Winners retaining CC numbers from store transactions without consent? Not quite the same thing.

    I haven't seen any other on-line merchants - Amazon, Chapters etc - take this step yet.


  • A prudent security step it would seem as I can only imagine the liability issues had those stored CC's been compromised in a hack attack or other online intrusion.


  • A merchant the size of AC would be required to have on site assessments made by a certified PCI auditor. Hopefully they do a good job and ensure the data is safe.


  • So now when you have to book or change a flight on your cell phone in a public place, you'll have to recite your CC number and the expiry date (and your AE number). Another advance.







    • #If you have any other info about this subject , Please add it free.#
    Your name:
    E-mail:
    Telphone:

    Your comments:


    If you have any other info about AC no longer keeps credit card information , Please add it free.
    Posted by jack under xn--g2x675c.com
    edit