Editor's note: This post was originally published in June 2021 in Security Today.
The Covid-19 epidemic has forced the car rental industry into rethinking its value proposition. While it once positioned itself as an ancillary service to the airline industry, generating the bulk of its income through airport locations, a collapse in global airline passenger numbers over the past year may have sped up a process already underway: Far from occupying a segment in the travel industry, car rental companies are now one corner of the Cars as a Service industry.
Cars as a Service is a term used to cover an ecosphere that includes everything from ride hailing to car sharing. The companies that dominate this ecosphere, such as Uber and Turo, are defined by their data rather than their fleet. Players in the car rental industry - those that remain after the carnage inflicted by the pandemic - are facing up to the reality that their competitors are more likely to be technology upstarts than legacy providers.
The case of Uber is illustrative. In 2020 alone, its app was downloaded 95 million times. The app now includes options to order food, send packages, or transport freight. Car rental firms must consider the addition of a car rental service to Uber and other competing platforms as more a case of when rather than if. Car rental firms are gearing up for the challenge through increased technology usage, bringing with it a whole new set of issues to consider.
The Covid-19 pandemic has created upheaval in most industries, and the car rental industry has been no exception. A series of lockdowns and travel restrictions over the past 18 months forced almost everybody in the industry to scale back by dramatically cutting fleet sizes. In fact, more than 30% of the industry’s vehicles from 2019 have been shed - taking 770,000 car rental firms’ cars off the market.
Now that countries are beginning to reopen, and travel restrictions are being eased, the offshoot is that there aren’t enough cars in the fleet to satisfy consumer demand. As the car rental companies that survived the pandemic - because not all of them did - turn to manufacturers for new models, something else has arrived to compound the issue further: a semiconductor chip shortage, slowing down auto manufacturers’ production lines.
This new paradigm has forced car rental firms to cooperate more with third party aggregator companies who can provide the rental firms with some slack when fleet numbers are low. These aggregators leverage the data accumulated by car rental firms for their own APIs. These APIs often feature little or no data protection. A duplication of the data that a car rental firm is responsible for could therefore amount to a multiplication of its risks.
This is just one data risk, however. Ride hailing firms like Uber now oversee a global fleet of over 18 million vehicles and this number is expected to rise to 35 million by 2025. These figures dwarf those of the world’s largest car rental firms. But arguably even more importantly, they’re generating an unprecedented amount of data on how everyone gets around. These companies already know better than you when you’ll travel in the next month and where you’ll go.
Car rental firms simply cannot compete with data on this scale, so will have to be creative if their proposition is to remain competitive. This begins with ensuring their fleets are connected. Avis Budget Group had over 200,000 connected vehicles in a total fleet of over 600,000 at the end of 2019. The company reported that this translated into operational efficiencies such as lower maintenance costs, better customer service, and enhanced predictive ability.
These data will be complemented by mountains of personalized customer data generated by mobile apps. Companies like Avis Budget Group now offer contactless, self-service car rental services through APIs as standard. And although these apps have allowed these companies to significantly improve their value proposition, they also create a whole new set of challenges - specifically in ensuring their APIs are secure.
A rule of thumb here is that the more connected companies and their customers become, the bigger the data security risk. It is not unfeasible for a customer picking up a rental car at an airport to have already provided data for their credit card, insurance, and personal information. These data are transferred between the car rental firm and third parties such as regulatory bodies and insurance providers.
Approov has first hand experience of working with car rental firms operating under this new paradigm. Its API Threat Protection enabled Sixt, industry’s leading firms, to gain control over what data they share with aggregators and at what level. This allowed Sixt to limit its data risks with additional layers of security, even as the number of end users was increasing. Thanks to Aproov, the company’s data began to work for it rather than against it.
For Approov, the Sixt project yielded valuable insights into the challenges that the car rental industry is undergoing. They face what amounts to a data conundrum: One one hand, to remain relevant in the growing field of mobility providers, these companies have to allow API requests. On the other, the car rental companies have sole responsibility for the data, and it is no exaggeration to say that their whole business model depends on them keeping it secure.
Car rental firms now need to manage their data as much as their fleet. As the business environment returns to something approaching normality post- Covid-19, their reduced fleets will mean that a larger proportion of their vehicles than ever will be fully connected. Post-pandemic, they will also find that their customers are even more mobile-centric than before. This will demand intelligent API protection solutions like those provided by Approov.