Credit card information printed on paper airline tickets not a proper safeguard; transfer of personal information to travel wholesaler questioned

PIPEDA Case Summary #2007-386

[Principles 4.1.3, 4.3, 4.3.2, 4.7 and 4.8]

When a customer of a travel agency purchased an airline ticket, he was upset to learn that his credit card information was being transferred to another company (a travel wholesaler) to complete the transaction.  He was also disturbed that his airline ticket contained his credit card number and expiry date in full.  

The Privacy Commissioner noted that there were some gaps in the information the travel agent gave to the complainant regarding the transfer of his personal information to the wholesaler.  It undertook to make improvements to the information customers receive about the practice.  The Commissioner noted that there was a contract between the agency and the wholesaler that contained provisions regarding confidentiality.  However, there were some problems in getting detailed information from the wholesaler on its personal information handling practices.  The Commissioner recommended that the agency in question confirm these practices.  The agency in turn informed the Office that it no longer conducted business with the wholesaler in question.

As for the printing of credit card information on paper tickets, the Commissioner agreed that this was not a privacy-sensitive practice.  While noting that the agency, for the moment, has no way of controlling what is printed on these tickets (this issue is regulated by the International Air Transport Association, IATA), the consumer does have the option of having an “e-ticket,” which does not contain credit card information.  The complainant was not offered this choice.  The Commissioner recommended that, for as long as paper tickets are still issued (until May 31, 2008), the agency must explain that credit card information is printed on paper tickets and must offer the customer the option of having an e-ticket.  The agency agreed to do so.

The Office also received a complaint from another individual, against a different travel agency, about the practice of printing credit card information on paper tickets.  The findings with respect to the practice were the same as above.

The following is a detailed overview of the investigation and the Commissioner’s deliberations.

Summary of Investigation

Transfer of credit card information

When the complainant received his ticket, he noticed that his entire credit card number was printed on it, along with the name of another company.  He contacted the travel agency, which informed him that it transferred the credit card data to ensure payment between the customer and the supplier.  The complainant was of the view that this was not necessary and that the practice violates the Personal Information Protection and Electronic Documents Act (the Act).

The travel agency stated that its national office has a contractual agreement with the other company (a travel wholesaler) to provide such services as negotiated fares between travel agencies and airlines as well as offering customized travel packages.

The contract between the agency’s national office and the wholesaler contains a confidentiality agreement and a standard clause indicating that personal information is not further disclosed to third parties unless the customer has consented and unless that third party also has in place a privacy policy that embraces the scope and intent of the Act.  Notwithstanding the agreement, the agency had been following up with the wholesaler in order to determine exactly what it does with the credit card information supplied by the agency.  The Office also attempted to learn this information from the wholesaler.  However, neither the agency nor this Office was able to receive a definitive answer.

The agency noted that its service manual did not cover what information the travel agent needed to tell customers when a transaction involved a travel supplier or wholesaler, including the fact that the customers’ credit card information was being provided to the wholesaler to complete the transaction.  According to the agency’s travel training manual, agents are required to provide a fair and accurate description of the travel services purchased, including the name of any wholesalers that provide the travel services, in accordance with Travel Industry Council of Ontario (TICO) Regulations. 

In this instance, the travel agent identified to the complainant the wholesaler on the invoice, indicating the amount that was provided to it and the service charge, as required by section 32 of Ontario’s Travel Industry Act.  The agent was not instructed to explain to customers that payments for tickets are to be processed by the wholesaler or that their credit card information is provided to it to complete the transaction. The travel agent also did not inform the complainant that the wholesaler works with the agency’s national office on a contractual basis.

The travel agency implemented corrective action as a result of this complaint.  It has updated its ticket itinerary/invoice to notify customers that their credit card information may be provided to the travel supplier or wholesaler to secure a customer’s travel arrangement.  The agency has also updated its procedures whereby travel agents are required to notify customers when their credit card information is provided to a supplier or wholesaler to process payments. 

We reviewed the travel agency’s Privacy Policy, which describes when it may provide personal information to third parties without consent.  The policy notes that it may do so to an authorized contractor providing service to the customer.

Safeguards

Regarding the printing of the full credit card number on paper tickets, the travel agency referred to requirements set by the International Air Transport Association (IATA).  The agency noted that the form of payment information is necessary to enable the ticket holder to refund, exchange, or make changes to his/her travel plans while he/she is outside of the country.

IATA is an international association that acts as the governing body to create regulations for international air transport.  Part of its regulations includes setting standards for airline ticketing.  IATA controls much of the production and distribution of airline tickets for travel worldwide through a network of over 60,000 travel agents.  Standards and procedures related to ticket forms are developed and maintained by the IATA Ticketing Committee, located in Geneva, Switzerland.  This committee is responsible for the development of standards for airline travel tickets, which it publishes as Resolutions and Recommended Practices. 

Airline tickets are available in two formats: manual/paper (which is what the complainant received) and automated/electronic (e-tickets).  Manual tickets account for 60 per cent of the tickets in use currently, while the remaining 40 per cent are e-tickets.

E-tickets do not include the full credit card number.  All but the last four digits of the number are suppressed on the passenger receipt of the e-ticket.  This is possible since each coupon is printed separately from each other, in contrast with manual tickets, which are carbonized.  Electronic ticketing is used to issue, track and document usage of tickets.  As a result, it eliminates the need for the production and distribution of paper tickets.  Details of the passenger’s trip are stored in an Electronic Ticket Record in the issuing airline’s database.

Manual tickets are comprised of a booklet of coupons.  Each coupon is carbonised and therefore reflects the same data.  The coupons serve a variety of functions, including accounting, fraud prevention and assistance to airline check-in staff issuing boarding passes.  The IATA standard form ticket is used worldwide by nearly all air carriers and travel agents, and print runs are in the millions of copies.  As a result, changes to the ticket format can only be made with long lead times.

We reviewed section 14.10.1 of the IATA BSP (Billing Settlement Plan) Manual for Agents, which pertains to credit card sales – procedures and local practices.  The procedures state that agents are to enter “the credit card company two-letter identifier followed by the credit card number…in the Form of Payment box on the STD (Standard Ticket Document).

Our Office spoke to IATA regarding the masking of credit card numbers.  We learned that this issue has long been the subject of discussion among IATA members.   Although IATA has explored possible solutions, none has been found to allow for the masking of the credit card number on the coupon portion that the customer receives and then remits to the airline upon travel.  Since IATA requires its member to use standard ticket formats, computer systems used by travel agencies and airlines require the full credit card number and expiry date of the card to be entered or the ticket will not be printed.  There is no technical means currently available to mask credit card numbers on manual tickets.  IATA states that it encourages consumers to purchase e-tickets should they wish to avoid having full credit card number details on their tickets.

We questioned whether it would be possible for travel agents to mask the credit card number on manual tickets by striking out the number with a felt pen.  IATA responded that

…because of the importance of the ticket, any alterations to a ticket render the ticket invalid per Passenger Services Conference Resolution 722 Para. 3.1.12 which states that alterations to entries on the ticket (once issued from the agent or airline’s printer), are not permitted at any time except as authorized by Resolution 727.  Reso 727 talks about changes to flight information and revalidations.  These are done by means of stickers whose layout corresponds to the relevant boxes on the ticket.  Handwritten changes, which would include blacking out, would not be permitted.

IATA stated publicly that paper tickets will no longer by used after May 31, 2008.  As of June 1, 2008, e‑tickets will be the only type of ticket available.  This will resolve the issue of full credit card numbers appearing on tickets.

Findings

Issued May 22, 2007

Application: Principle 4.1.3 states that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.  The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.  Principle 4.3 stipulates that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.  Principle 4.3.2 stresses knowledge and consent.  It states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.  To make consent meaningful, the purposes must be stated in such a manner that the individual can reasonable understand how the information will be used or disclosed.  Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.  Principle 4.8 stipulates that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Transfer of personal information to third party

In making her determinations, the Commissioner deliberated as follows:

• The first matter she addressed was one of terminology.  The complainant referred to the transfer of his credit card information to the wholesaler as a “disclosure.”  It was not, she noted, a “disclosure” as this Office defines the word, but rather a “use” since the agency was responsible for the information it collected.  Notwithstanding the semantics, the complainant objected to this transfer of his personal information and believed that it had occurred without his knowledge or consent.
• She noted that organizations that use third-party service providers are obliged, under Principle 4.1.3, to have provisions in place to ensure a comparable level of protection.  Such a provision existed in this case, namely, a contract between the agency’s national office and the wholesaler, portions of which cover the question of confidentiality. 
• However, in spite of the agency’s efforts to determine exactly what happens to the information it provides to the wholesaler, it could not find the answer.  While she conceded that it may be the case that the wholesaler is handling the personal information that the agency provides in a manner that is in accordance with the Act, the fact remained that the agency could not confirm for us that this was in fact so.  She therefore found the agency in contravention of Principle 4.1.3.
• As for the question of consent, she noted that the Office has long taken the stand that companies are not required to provide customers with the choice of opting-out where the third-party service provider is offering services directly related to the primary purposes for which the personal information was collected.  In this case, the customer provides consent to the primary uses of personal information when he or she purchases a trip.  The third-party service provider is offering services as a travel wholesaler that are directly related to the primary purposes for which customers provided their personal information (namely, to purchase a plane ticket or a travel package).  When the customer provides this information, he or she is consenting to its transfer to the wholesaler.  If he or she does not want the wholesaler to have this information, then the customer is free to choose a different travel agency.
• Nevertheless, the Commissioner also reminded the agency that organizations are required to make a reasonable effort to inform individuals about the use or disclosure of their personal information.  In an effort to be clearer about the transfer of personal information to the wholesaler, the travel agency revised its service manual and changed the wording on its ticket invoices to reflect the fact that credit card information is provided to the wholesaler.  She was satisfied that such steps met the requirements of Principles 4.3.2 and 4.3.

• The Commissioner recommended that the agency confirm the wholesaler’s personal information handling practices with respect to the personal information the agency sends to it.

• The agency responded that it had ceased conducting business with the travel wholesaler in question.  The Commissioner was satisfied that there was no need to retain this recommendation or pursue the matter any further. 

Accordingly, on the matter of the transfer of personal information, the complaint was considered well-founded and resolved.

Safeguards

[The Commissioner’s findings and recommendations on the practice of printing credit card information on manual tickets were directed at the two travel agencies against which we received complaints about this practice.] 

• The Commissioner agreed that the practice of printing the full credit card number and expiry date on paper tickets was not a privacy-sensitive one.  The customer receives the ticket from the travel agent, with the credit card number printed in full on the coupons, which he or she must provide to airline personnel when checking in.
• The recording of the credit card number and expiry date is a current requirement, prescribed by a governing body that dictates ticketing protocol, to show proof of payment.  However, airline personnel who are checking passengers do not have any need to know the customer’s credit number – such information is only needed by the travel agency and the airline carrier for the ticket purchase.
• While there is currently no way of masking credit card numbers that appear on paper tickets, the Commissioner was troubled by this needless exposure of the customer’s personal information.  Given the proliferation of identity theft, she was of the view that this practice is a wholly inadequate safeguard and contrary to Principle 4.7.
• The only choice available to customers is to purchase electronic tickets, which do mask such information.  The complainants were not, however, offered this option, nor were they informed at the time of purchase that the paper ticket would have the number printed on it.  Organizations are required under the Act to be open about their policies and practices.  It would appear that the agencies were not in this instance.
• She therefore recommended that the agencies:
• inform customers at the time of purchase that their full credit card number and expiry date will appear on the paper ticket; and
• inform customers that e-tickets, which mask all but the last four digits of the credit card number, are available.
• Both agencies agreed to implement the recommendations.  While noting that not all airlines and destinations offered e-ticketing, the agencies are encouraging customers to use e-tickets where available or other payment options, where it is not.  One of the agencies also changed the language of its travel invoice to include a statement informing customers that, if a paper ticket is issued, the credit card number and expiry date will appear on the ticket.

Satisfied that these measures met the requirements for appropriate safeguards and openness, the Commissioner concluded that these complaints were well-founded and resolved.

See also

#388 Ticketmaster Canada Limited revised its policies and practices with respect to PIPEDA to protect customers’ personal information

#377 Law firm’s shoddy privacy practices result in missing personal information; request for access denied