Auto Rental News
MenuMENU
SearchSEARCH

Complying With Data Security Standards

The continuing spread of identity theft and computer hacking has prompted an assortment of standards designed to protect consumers' privileged information, including credit card and driver’s license numbers.

by Cathy Stephens
February 1, 2005
5 min to read


Meet Always Happy Rent-A-Car, an up-and-coming rental company that's purely fictional. Always Happy RAC has increased its online reservations' volume 33% in the past two years. The company has also introduced a customer loyalty program and used data mining techniques to overhaul its marketing initiatives.

As a result, the president of Always Happy RAC in January forecasted 15% profit growth for the coming year. But there's only one problem: A computer hacker 2,000 miles away has made the RAC's Web site the target of Structured Query Language (SQL) injection attacks. Though Always Happy's homepage assures customers that their transactions are secure, the truth is that the company doesn't store customers' personal data in an encrypted format. The hacker is able to access customers' credit card numbers and home addresses stored in unencrypted clear text.

Ad Loading...

After the hacker sells the customer data to an identity-theft crime ring, law enforcement officials eventually trace the problems to Always Happy. The company becomes yet another target -- of customer lawsuits and a Federal Trade Commission investigation.

Yes, this cautionary tale is fictional. But it's not that far-fetched. The Federal Trade Commission has filed a number of cases against companies that sell products and services online, charging them with making deceptive claims about how they store customers' personal information.

Car rental companies of all sizes are booking more rentals on their own Web site and requiring the transmission of personal information like home addresses, phone numbers and sometimes credit card numbers. But if your company stores this information on its own servers, you need to establish a security program designed to protect that data's confidentiality and integrity. You also need third-party audits and company-wide training about the importance of protecting customers' personal information.

"Consumers have the right to expect companies to keep their promises about the security of the confidential consumer information they collect," said Lydia Parnes, acting director of the FTC's Bureau of Consumer Protection, in a statement released to the press last November.

What spurred Parnes' statement? It was part of the FTC's announcement that it had settled a case against Petco Animal Supplies, in which the agency accused www.petco.com of security flaws. [PAGEBREAK]

Ad Loading...

The rise of identity theft, computer hacking and credit card fraud has triggered customer privacy standards for all online marketers, including car rental companies. These standards include 1999's Gramm-Leach-Bliley Act (GLB), various FTC rules and guidelines, and Visa's Cardholder Information Security Program (CISP). State and local governments, as well as financial institutions and insurance providers, can also set customer privacy guidelines. Third-party data security auditors might include some of their own guidelines, too, to qualify clients for certification.

In addition to data protection, these standards can involve disclosure about how a company uses customer data and tracks customer online activity. For example, what is your company's policy on the use of "cookies"? Do you use them to track patterns and trends in Web site visits? Do you share information about Web site visitors with other parties? Do you use advertising cookies sent by third-party Web servers? You may be required by law to disclose this information to consumers.

"A company's compliance requirements depend largely on the size of the operation; its types of transactions; where and how data is collected, shared and stored; and who can and who needs to access customer data," says Eric J. Peterson, director of product development for TSD Rental Management Software.

Peterson advises car rental operators to consult with their attorney, insurance provider and franchisor (if they have one) to learn what steps they need to take to ensure compliance on their end. One option is to outsource customer data storage to a third party like TSD. Through its ISP service, TSD can store a company's customer data on TSD servers at the company’s data center.

For independents and franchisees in particular, outsourcing can be a practical choice. Most of these operators would rather concentrate on their core business -- renting cars -- than to devote so many resources to meeting data security standards. Sensitive financial transactions can also be left to a third party that's certified as compliant.

Ad Loading...

"Compliance involves firewalls, encryption, the layering of network infrastructure -- concerns that some car rental companies don't want to worry about," Peterson explains. "Keeping the Internet a safe place is a 24/7 effort. You need lots of what we like to call fences -- and many layers of authentication -- before the data can be accessed."

Rental companies such as Hertz Local Edition, Avis, Budget, Thrifty, U-Save and hundreds of independent rental businesses use TSD's secure technology to safeguard data transmissions among their rental locations, insurance companies, GDSes, Internet channel Web sites and customers.

Companies wishing to keep customer data storage in-house, however, have the option of hiring a data security specialist, such as TruSecure, to conduct data security audits and help develop a comprehensive data security plan.

Compliance with FTC standards, the Gramm-Leach-Bliley Act (also known as the Financial Modernization Act of 1999) and Visa's CISP program is crucial for today's car rental operators. But even if your company chooses to store sensitive customer data off-site on secure third-party servers, it's important to develop a security plan for your company. That means defining clear and documented procedures to protect customers' personal data, Peterson says.

All employees need to be educated about the importance of safeguarding privileged customer information. Your company's security policy needs to be highlighted in the employee handbook and in training materials.

Ad Loading...

What's more, managers should restrict employee access to sensitive customer data, Peterson says. Managing data security should be allocated to a specific staff member, and security measures should be tested and reevaluated on a regular basis.

Subscribe to Our Newsletter

More Rental Operations

green and blue bar graphs compare fleet sales June 2025 versus June 2026
Fleet Acquisitionby Martin RomjueJuly 8, 2026

Rental Car Fleet Sales Show Mid-Year Strength

June gains ensured rental fleets closed out the first half of 2026 in positive territory.

Read More →
Close up of a row of white CUVs in the Surprice Mobility fleet at the Milan airport.

Surprice Mobility Opens Corporate Rental Station at Milan Malpensa Airport

The Milan opening is part of Surprice Mobility's broader strategy to expand its corporate operations while increasing the use of technology across its network.

Read More →
Julian Gritsch with an MBA class in a classroom.

Brazilian Executive MBA Targets Growing Domestic Rental Car Industry

Rental car companies face a unique combination of challenges that are rarely addressed in traditional programs.

Read More →
Ad Loading...
Green Motion team with banner bearing Japanese flag.

Green Motion Expands Into Japan With Master Franchise Agreement

Japan's tourism industry, business travel market, and demand for vehicle rental services are reasons the country represents an important market for the company.

Read More →
ACRA Chairman Sharky Laguana on stage at the ICRS event in Grapevine, Texas.
Legal & Legislativeby Martin RomjueJune 24, 2026

ACRA Carrying Fuller Industry Load As AI and EVs Lurk In Future

The leading car rental professional business group details an active legislative, regulatory, and macro-trends agenda affecting car rental operators.

Read More →
Light blue horizontal bar graphs on a chart showing World Cup-related rental car booking trends.
Rental OperationsJune 23, 2026

World Cup Travel Data Shows Longer Car Rentals and More One-Ways

A recent analysis of FIFA bookings found varied demand patterns that influenced rental car pricing.

Read More →
Ad Loading...
Side view of ICRS speaker Sanchit Garg at podium in front of a floor lit red curtain
Rental Operationsby Martin RomjueJune 22, 2026

A Leveling Force: AI Morphs Into A Rental Car Profit-Seeker

Revenue managers can’t match the emerging AI tools gobbling lots of data that could counter the competitive race to the rate bottom.

Read More →
Photos of Martin Romjue and Denis Gjoni on opposite sides of large headline for the video.
Rental Operationsby Martin RomjueJune 17, 2026

Stop Losing Money On Rental Tolls

Regardless of your rental fleet size and structure, fleet managers, executives, and owners can gain valuable insights into an often-overlooked area of fleet operations.

Read More →
Richard Lowden gesturing on stage in front of a red curtain at the Gaylord Texan Resort near Dallas.
Rental Operationsby Martin RomjueJune 12, 2026

Rethink The Future To Avert A Race To The Bottom

Rental car operators heard a sobering industry message and a stern challenge at the close of the International Car Rental Show.

Read More →
Ad Loading...
John Possumato holding microphone while asking a question during a live conference session at the ICRS Show.

DriveItAway, Free2move Plan Shared Fleet Program for Independent Rental Fleet Operators

Vehicles would be placed with participating rental operations to support car renter demand and provide additional fleet capacity.

Read More →
Ad Loading...