[topogios]

"The information included names, email addresses, credit card information such as credit card numbers, expiration dates and the three-digit CVV code found on the back of credit cards, although BA has said it did not store CVV numbers."

Is it standard for airlines to handle storing payment card details themselves and hence having to be PCI certified instead of delegating to a PSP?

[robjan]

Someone injected Javascript into their pages which collected this information. But, yes, it's standard practise for airlines to store card information (excluding the 3/4 digit code) in the customers' PNR (Passenger Name Record) in the airline's GDS (Global Distribution System). The details are on this page: https://servicehub.amadeus.com/c/portal/view-solution/965353...

[namdnay]

Just a quick clarification, in the case of an airline website, the PNR will not be created through the GDS (too expensive), it will be created directly in the PSS (usually managed by the same company)

[robjan]

Think it depends on the airline and whether they allow agent bookings. Last I knew, BA.com created them on 1A but that may have changed with NDC.

[namdnay]

For web they create them on 1A, but directly in 1A PSS, not going through 1A GDS (and therefore not paying the GDS fee, just a PSS fee). This is the case for all direct channels (websites or airline call centers) of all airlines

[victorvation]

It was stolen via JavaScript injected on the payment page, not from having stored data exfiltrated. This writeup calls it "digital card skimming", which seems to be a good analogy for the attack: https://www.riskiq.com/blog/labs/magecart-british-airways-br...

[ajdlinux]

Given that the airline industry actually runs its own payment card network (UATP, which has been around since 1936 apparently) it does not surprise me at all that airlines do much of their payment card stuff in house.