To improve the odds of preventing the next 9/11, governments and the world’s airlines have implemented policies to strengthen passenger and aircraft security systems.
British Airways, in particular, goes to great lengths to protect the privacy and security of the travelling passenger. But sometimes, the carrier’s well-intentioned policies, drawn from the UK’s Data Protection Act of 1998, end up hurting the very passengers these policies are designed to help.
Before we get to BA, let’s review the typical airline booking process. With so much competition among the world’s airlines, the most common way a traveller buys an airline ticket is online, through a website such as MakeMyTrip, Kayak or Cleartrip. True, some travellers still go to brick and mortar travel agents but, when most travellers can search for the best deals in almost an instant and book complicated international travel itineraries online from the comfort of their homes, it is no wonder that traditional travel agencies are dying a slow death.
The degree to which a traveller’s comfort can be pre-booked and confirmed is remarkable. Route preferences, seat selection, meal choices and various levels of wheelchair assists all become part of the passenger record at the time of booking. Even first-time users can book tickets as though they are trained IATA agents.
Further, to make transit easy, government identifying information — such as passport numbers, dates of issue and expiry, visa information and special redress numbers that can flag passengers through security more easily — is collected during the booking process. All the travelling passenger has to do on the day of travel is show up at the airport with the appropriate documents that match the details already provided.
Convenience
For the traveller, these websites provide an additional invaluable advantage: the anonymity, which makes it easier for the less abled — such as the elderly, or novice passengers — to travel without being involved in the nuances of the booking cycle. Family members can book tickets for a loved one, even from a different country. The internet is truly global in its reach.
Once the booking process is completed, the travel agency website sends out a Booking ID (with the details of travel) to the email address on record. The email address does not have to be that of the traveller and, for novice travellers, is often that of the person who booked the ticket (henceforth called the “user”, to distinguish from the traveller). Minutes later, the agency or the airline sends out the airline Confirmation Code — still the same six-character code that has been the staple of airline travel for decades.
For most airline computer systems, just two pieces of information are therefore required to view or change a traveller’s booking record: the Confirmation Code and the Last Name of the traveller. British Airways too allows full access to a traveller’s booking file if these two vital elements are known. Once in, the user can view and change every aspect of the traveller’s choices previously confirmed. The user can even print the boarding pass within the 24-hour window prior to departure.
The problem is that BA appears to have vastly tightened the access process if a user were to call a contact centre for help with a traveller’s booking. After the initial pleasantries, the agent asks you for your credentials. If you are not the traveller, BA sets out to establish that you have the authority to act on the traveller’s behalf.
Not only is this fair, but also essential. Travellers would not want unscrupulous persons to access their sensitive travel records. But BA’s process to establish the validity of the user is poor and unrealistic and, by erring on the side of caution and privacy, BA has created a situation where engagement with the call centre is a rather unfriendly experience.
Roundabout service
Suppose you are the user who lives abroad and your parent is the traveller who lives in India and is visiting you for a few months. You made the booking on Makemytrip and paid for the ticket using your Indian bank account.
First, the call centre agent checks to see if your name is on the travel record. This is rarely on the record because travel agencies do not send customer profiles to carriers. (Flaw #1: As part of the booking process, BA should ask online travel agencies to require users to key in user information, with certain authentication details such as a passport number and a password, which should be added to the travel record so that call centre agents can properly validate users before discussing the traveller’s file.)
The agent is immediately suspicious of you and crawls under the enormous umbrella called the UK Data Protection Act for cover. Once under this umbrella, the balance of power has immediately moved to the agent, who has gained new authority to become unhelpful, or even be uncivil.
The agent asks to speak with the traveller to validate if the traveller is ok with the agent discussing the booking with you.
This is a problem. The agent has not even determined if your question requires user validation. Suppose you had a generic question: “The system printed two out of three boarding passes during online check-in, what do we do for the final leg of travel?” An agent with customer service on his mind could ask if the third leg of travel was on a BA-operated flight. If it is not, the agent could say that only BA-operated boarding passes are typically issued during online check-in, and boarding passes for other connecting airlines are issued at the airport.
The agent could end by saying, “I'll be glad to help you further by looking into the traveller's record, but this will require me to ask you certain questions, is that ok?” (Flaw #2: BA customer service agents are trained to need the traveller to validate a user, even for generic questions.)
Eager for specific information, you tell the agent truthfully that your aged parent is in India thousands of miles away. The agent demands that you conference the elder in. You tell the agent that you have no way of conferencing her and ask the agent to do so. The agent refuses saying that the contact centre does not have the capability to make external calls. (Flaw #3: If the BA demands to speak to the traveller, it has to have outgoing conferencing capabilities for its contact centre, perhaps authorised by a supervisor.)
Frustrated, you hang up and call the contact centre again with a trick up your sleeve. This time, at the validation step, you beckon someone in your household as the same gender of the traveller to the phone. The agent has no way of knowing that your sister has now become your travelling mother. (Flaw #4: BA should not require validation unless it is sure that the person validating is definitely and positively the traveller.)
The agent asks for only two pieces of information to ascertain the identity of the traveller: the phone number at the time of booking and the email address of the user (which you, as the user know). (Flaw #5: How does BA expect a 75-year old woman to remember these details of another person? There are travellers who do not even know what an email address is or how to spell it out.)
You scribble this information to your sister to blurt out and the agent asks your sister if he can discuss the booking with you. Your sister says yes, and the agent becomes friendly once again, ready to answer any question about the booking.
Simpler validation
There’s a much simpler and more efficient way for the call centre to validate that you are the authorised representative of the traveller. The agent could ask you for the traveller's last name and the airline Confirmation Code (the same information that lets you into the BA computer system). But, to be doubly sure, the agent could ask for several additional pieces of information that only you, as the user, would know, such as the travel agency used, or maybe the date and time of the booking. Anyone with this information is likely to be a genuine, authorised representative.
If even further validation is needed, BA could conference the travel agency in and have the agency confirm, offline, if your responses to even more questions (such as the agency booking ID, payment method, bank name, bank account number from which the payment was made and the exact amount of the fare paid) check out. If they do, the agent can dismiss the travel agency and begin to help you. All this, with a smile.
No one doubts that privacy protection and security are important, but there are simple ways to not lose sight of customer service which, in a business that has otherwise become a commodity, is the only real differentiator.