Cruise Lines

Industry Pages

Industry Pages


Cruise lines need to collect guest Payment Card Information (PCI) for reservations, services, and accommodations, as well as gather their contact information and other Personally Identifiable Information (PII) necessary for travel and safety. Additionally, they need to operate in omni-channel payment environments, accepting multiple payment streams and relying on multiple payment processing partners. The complexity of the travel industry means there are many information systems –and people – that touch, process, and store both PCI and PII. The multitude of data entry points, databases for record keeping, and networks for transmitting sensitive data makes travel organizations a prime target for hackers to breach.

PII, which can be used for identity theft, authentication, and false account creation, is fast becoming a favorite target for hackers. The cruise line industry maintains a variety of reward and loyalty programs that store PII in order to track and maintain relationships with customers. Since the reward program web sites and the associated data warehouses do not necessarily contain PCI, they are often neglected when it comes to data security safeguards. Reward points, used in conjunction with stolen PII, are as good as payment card data when it comes to fraud because points can be redeemed for gift cards through various online channels, making the fraud difficult to uncover. One more reason for hackers to target travel sites for easy harvesting of saleable information.


To eliminate the risk of losing customer data, cruise lines need to deploy a combination of encryption, tokenization, and cloud data vaulting to intercept incoming sensitive data at every possible entry point. This layered approach to data security ensures that no PCI or PII is accepted, stored, or transmitted by IT systems that could be hacked, infected with malware, or inadvertently exposed by personnel. By eliminating sensitive data from internal IT systems, the scope of PCI compliance is also greatly reduced, saving time and budget. Cruise lines can use TokenEx Cloud Security Platform solutions to protect the three main collection points of sensitive data: call centers, web shopping carts, and on-premise card readers.


Even in the age of ubiquitous internet shopping, many people prefer the human touch when making complex travel plans. Call centers with experienced travel planners are still in demand for cruises, multi-city and multi-country itineraries, and adventure vacations. In order to provide excellent service, call center operators need to collect significant PII, and ultimately PCI, to complete each reservation. All that sensitive data is entered and stored on workstations and databases that are virtual honeypots for hackers.

TokenEx provides several methods of securely working with PCI and PII data in the call center. Taking PCI over the phone can be made secure by using point-to-point encryption (P2Pe) pin pads at workstations. Once account numbers are captured and encrypted, the data is sent to the TokenEx Cloud via the TokenEx API to be decrypted, tokenized and vaulted. Tokens are sent back to the call center database for future transactions. Since only the tokens are stored in the local business systems, workstations, web servers, and databases remain out of scope of PCI compliance.

Call center operators can also use a web portal to input payment information. The TokenEx Browser Based Encryption can be incorporated into the web portal to instantly encrypt the PANs and transmit them to be tokenized, vaulted, and passed on to the payment gateway of choice for processing. This enables real-time processing of payments, while reducing the scope of PCI compliance.

The web portal can also be used to secure any PII captured during a call. PII such as email addresses, bank information, passport IDs, and even medical information, can be tokenized and vaulted to ensure only the undecipherable tokens representing PII are stored locally for future processing.


Even when customers prefer the human touch of a call center to plan their travel, additional payments can be made through a web portal and checkout page. The security objective is to provide real-time payment processing using only encrypted and tokenized data—once again keeping the web server secure and out of PCI scope. Organizations can choose to have TokenEx host the entire checkout page, which is fully customized to look and behave like the business web site design, or use the TokenEx iFrame solution to host only the final payment fields. Either way, customers entering their payment data into the web site have it securely encrypted and tokenized, so that the actual PANs never enter the travel organization’s business systems. Only undecipherable tokens are returned to the business systems for recurring billing, analytics, and safe storage.


Traveling on cruises and tours usually requires additional expenditures shipside or on-site. Using payment cards to pay for everyday expenses requires a level of security akin to the call center P2Pe card readers. On a cruise ship, for example, guests may choose to bill every expense to the credit card they placed on file when they made the reservation, or to use a different card for points and rewards. The onsite card readers need to encrypt these account numbers immediately and store them in a local database. Away from port, the charges may need to be batched for transmission to the TokenEx when internet connectivity is regained.


With all these scenarios, the TokenEx Cloud Security Platform is tightly integrated into the existing business processes. TokenEx can act as a central integration point for fraud detection, chargeback prevention, and marketing analytics, passing the necessary payment data to the service providers in the format they expect, without any payment data being accepted, stored, or transmitted by the business systems.


TokenEx clients in the travel industry that rely on tokenization in the cloud to protect their guests’ data also have the freedom to use any virtually any payment processor, and integrate other payment processing services. Let’s explore an example of tokenization use in an international cruise line.


One of the world’s best known cruise lines wanted to reduce the scope and cost of PCI compliance while eliminating the risk of hackers stealing its customers’ payment and personal data. Although their call center was the main point of contact for planning, booking, and paying for elegant cruise trips, the organization also collected payment data for on-ship purchases during a cruise, and through a self-service portal for setting up payment plans. All three points of data entry needed to be secured, so that payment and PII data was not received or stored by internal business systems.

The call center is protected with a combination of pin pad encryption, tokenization, and data vaulting. Typically, when a customer makes a cruise reservation through the call center, either a bank account or credit card is recorded to initiate a down payment. To minimize the scope of PCI compliance for the call center, the P2Pe pin pads at each agent’s workstation send the encrypted account information directly to TokenEx for tokenization and vaulting. The tokens can then be stored and used in the business systems just like the payment data, but with no risk of theft.

Nightly batch processing of payments is also kept secure with existing processes creating the payment files. Because these files contain tokenized PAN data, the files are sent to TokenEx rather than directly to the processor. TokenEx replaces the tokens with PAN data, and then forwards the file onto the processor. Response files from the processor is simply the reverse flow. No sensitive data is ever stored or transmitted by the call center or back office systems after the initial input of the data by a travel associate. As a result, most of the IT systems in the call center are at the very lowest level of PCI compliance.

The ship-side crew can take additional payment data on board while at port or at sea away from internet connectivity. The on-ship P2Pe card readers store the encrypted card swipes in the ship’s local database. The private encryption key is held by TokenEx, so the data can be decrypted and then vaulted and tokenized. Therefore, hacking of the onboard database would only yield encrypted data with no key available to decrypt it. The encrypted account data is transmitted to TokenEx whenever connectivity is available from the ship, where it is decrypted, tokenized and vaulted. Tokens are then sent to the cruise line’s central server for future payment processing.

The cruise line added a web portal, so guests could track their trip itinerary and make additional payments before and after the cruise. To keep the portal web server out of the scope of PCI compliance, a TokenEx iFrame Hosted Payment page solution is used for payment card data entry. When a customer chooses to add payment information on the portal, the fields accepting the sensitive data are actually hosted on the TokenEx Secure Cloud Platform, transparently to the customer. Payment data is immediately tokenized and vaulted, and only tokens are received by the web server for payment processing. No actual PANs or other customer data are accepted or stored in the portal’s environment.

Securing all three data entry streams—call center pin pads, ship-side card readers, and the web portal— with encryption and tokenization, ensures that all payment and customer data is safely stored away from the business systems. Any data breach would reveal only tokens that are useless to hackers.


By its very nature, the cruise line is an international organization, traveling to many different countries with specific payment processors and banks. It’s a necessity that the organization be able to use in-country banking and payment gateways to process the charges in various currencies as the ships go from port to port and hosts guests using different currencies. TokenEx is payment provider agnostic, providing organizations with the ability to work with almost any PSP, gateway, or banking institution to process payment transactions. Using the TokenEx Secure Cloud Platform, organizations can choose to connect with multiple payment gateways and switch among them to process transactions as business needs change.

Connect with TokenEx to Secure Your Organization’s Sensitive Data

Your business data belongs to you. Your customers’ data belongs to them. Keeping sensitive data of all types out of the reach of hackers and safe from ransomware attacks is the job of TokenEx. You owe it to yourself and your customers to secure your enterprise against data theft. You can depend on the TokenEx Cloud Security Platform to do just that. Contact us today to learn how we can eliminate the risk of data theft and reduce the cost of PCI compliance.