How an inexpensive iFrame could have saved British Airways from a potential £500 million fine

Data breach casts unflattering light on British Airways’ data security protocols

by Jason Perhar, PCI Booking Global Business Strategy Head

British Airways’ recent announcement of a data breach that affected 380,000 of their customers highlighted the pitfalls and dangers of not adequately protecting customer data in a PCI compliant manner. 

The breach, which took place unnoticed over a 16 day period from August 21st to September 5th 2018, captured both personal information and full payment details (including CVV code). Security firms investigating the cyber-attack have pinpointed Magecard, a group that specializes in identifying and attacking websites that do not have a sufficiently secure payment infrastructure, as those responsible. 

Early indications from those knowledgeable with the breach and previous attacks by Magecard, propose that the attack was based around a script, only 22 lines in total, that was injected into a poorly secured baggage claim information page not modified since 2012. The script then transmitted any information entered on the payment page to a server controlled by Magecard.

What is an IFrame?

An IFrame (Inline Frame) is a HTML document embedded inside another HTML document (such as a webpage) on a website. PCI Booking’s IFrame is used to insert the secure payment capture form on the customers website. Fully customizable, the IFrame can be tailored to suit the web pages branding.

IFrames allow card data to be entered, tokenized and stored on secure PCI Booking servers in accordance to PCI guidelines.

The ramifications for BA’s image and customer goodwill is hard to quantify – and will, most likely, take years to recover. Financially, however, the impacts have already been seen. Stock prices at parent company IGN have dropped over 2% since the announcement, and BA have pledged to compensate customers for any financial losses they experience. These costs could pale in comparison to the potential fine of £500 million if the airline is found to have been negligent in the manner which they captured and stored payment information. 

This could well be the case as interviews published in a recent Sunday Times article with security professionals familiar with BA’s infrastructure reported that they had failed to achieve PCI compliance in December 2017.

When observing the manner and outcome of the breach, it becomes apparent that straightforward PCI compliance measures would have averted this crisis. Had BA incorporated a secure iFrame (a fully brandable payment portal that captures payment details in a PCI compliant manner) into their payment pages, such as PCI Booking’s iFrame, no payment information could or would have been intercepted by the malicious script. 

At worse (although still unlikely), the only information that could be intercepted, if a PCI compliant iFrame was in place, would be the already encrypted card token which, in itself, is useless to any attacker. PCI Booking’s structure of removing all card data from a companies infrastructure, ensures that, even in the worst case scenario of a breach on companies site, there is simply no payment information available for theft and misuse. 

All this emphasises the dangers of not securing your infrastructure in a PCI compliant manner or attempting to do so yourself, when this is not your core business. The consequences, as seen in this incident, can be extremely negative and extremely expensive.

All aspects of your workflow made compliant


Brandable Web iFrame

Customizable card capture web forms (IFrame), which can be tailored to suit your branding, allow card data to be entered, tokenized and stored on secure PCI Booking servers in accordance to PCI guidelines. 

This provides the means to collect payment information on a hosted system without exposing the underlying Application Systems to PCI scope.

The generated token is then passed to the customer server, leaving them out of PCI scope.

Card Over The Phone

Card Over The Phone is a simple process which allows merchants to request payment card details from customers. Upon request, PCI Booking sends a link to a card capture form to the client via email and/or text message (SMS).

Personal details and booking information are taken during the phone call, as is currently the case, with the payment details now submitted by the customer themselves to confirm the reservation.

Store & Manage

Unlimited Storage

Storing payment data for a duration before processing the charge, in order to confirm the booking, is imperative for those working in the travel industry.

PCI Booking securely store the captured data for the duration of the booking, allowing you to safely view the complete data within the PCI Booking Portal up until the moment of charging the card through our Universal Payment Gateway.

Credit Card Risk Assessment

While the importance of protecting traveler credit card data cannot be underestimated, it’s equally as important for a business to protect themselves from credit card fraud and the ramifications, such as costly chargebacks, that arise from fraudulent transactions.

Credit Card Risk Assessment highlights cards that exhibit known signs of fraud and returns a rank-scored that allows users to determine the level of caution that should be given to each transaction.


Charge & Transmit

Universal Payment Gateway

Often, customers and PMS vendors need to use multiple third-party payment gateways: sometimes, to reduce the high cost of transactions; sometimes, to use a local payment gateway for a regional transaction.

With PCI Booking’s Universal Payment Gateway, you can add support for new payment gateways instantly. All you need to do is to integrate once. 

PCI Booking does the rest. 


Stay in Touch

Sign up to our newsletter to stay informed about PCI compliance news, and updates regarding new PCI Booking features.