IATA sheds light on PCI DSS confusion, says it should be part of agencies’ security strategy

IATA sheds light on PCI DSS confusion, says it should be part of agencies’ security strategy

This story originally ran in the June 7, 2018 issue of Travelweek magazine. To get Travelweek delivered to your agency for free, subscribe here.

TORONTO – There’s no question that the process to achieve PCI DSS (Payment Card Industry Data Security Standard) compliance has been a complicated ordeal for many travel agencies. First introduced in February 2017 with a June 1, 2017 deadline, the mandatory condition was then pushed back to March 1, 2018 by IATA following agent feedback. People were confused and frustrated, with IATA unfairly receiving the brunt of the backlash.

Travelweek has covered PCI DSS extensively. Now to help answer any outstanding questions and concerns, Travelweek reached out to IATA spokesperson Perry Flint for an exclusive interview. Here’s what he had to say:

Who is PCI DSS compliance mandated by, and what is IATA’s role in the process?

PCI DSS standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.).

According to the PCI-SSC website, “If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.” Currently, both Visa and MasterCard require merchants and service providers to be validated, according to the PCI SSC.

Turning to IATA’s role, IATA was directed by the Passenger Agency Conference (PAConf) to ensure that all travel agents participating in BSP achieve PCI DSS compliance.

Why did IATA decide to extend the deadline?

At the beginning of February 2017, IATA released its first communication to the agent community advising of the requirement coming up in June 2017 to become PCI DSS compliant, and guiding agents to a dedicated PCI DSS compliance webpage within IATA.org.

Following this communication, IATA received a large amount of feedback from the agent community, including individual agents as well as regional and local travel agent associations. The main concern was that the timeline for compliance was too short. Some agents also informed IATA that their acquirer/financial institution was not able to guide them through the process as they were not aware of the process themselves.

Based on these concerns, IATA requested the PAConf Steering Group (PSG) to postpone the application of PCI DSS provisions to March 1, 2018. The PSG agreed to an extension and a communication notifying agents of this extension was distributed in April 2017.

Why must agents be PCI compliant?

The PCI DSS standards were put in place to protect merchants’ payment systems from breaches and theft of cardholder data. According to information from the PCI SSC website, PrivacyRights.org has reported that more than 510 million records with sensitive information have been breached since January 2005. Compliance helps to alleviate these vulnerabilities and protect cardholder data.

Compliance is not cheap. However, the business risks and potential costs of non-compliance can exceed the cost of compliance. For example, in the event of a security breach, any compromised entity that was not PCI DSS compliant at the time of breach could be subject to additional penalties from the card scheme (such as fines), in addition to any civil liabilities from those whose data was compromised. There is also the damage to the business reputation, loss of customer trust and so forth. Implementing PCI DSS should be part of a sound, basic enterprise security strategy.

How did IATA help prepare members for compliance?

  • IATA created a dedicated section on IATA.org.
  • We also communicated to agents through BSPlink about PCI DSS compliance and provided them with information about tools that were available to support them in achieving compliance.
  • Upon the request of the participants, dedicated PCI DSS sessions were held in Agency Program Joint Councils (APJCs) as well as some travel agency associations.
  • IATA made available on its website links to a Qualified Service Assessor who could guide agents through the process. IATA also supported Travelport’s announcement that it would facilitate PCI DSS certification for Travelport users. Travelport also made its online PCI DSS certification referral program available to all IATA agencies.
  • IATA signed an agreement with Trustwave, a Qualified Security Assessor (QSA) to help agents obtain PCI DSS certification.

IATA understands that the unique diversity of our travel agent partners means that many will not have been exposed to PCI DSS, with many operating in environments and with technology that makes the exercise even more challenging. However, PCI DSS has been in place since 2006, hence the pressure has been there to become PCI DSS compliant since then

How closely is IATA working with ACTA and other travel organizations to educate agents about compliance?

While it is always possible to do more, IATA has worked closely with ACTA and many other agency associations to get the word out and educate our travel agent partners about the importance of achieving compliance with the standard. These interactions have occurred through the APJCs and also via direct email communications with agency associations.

What will happen to agencies who’ve yet to obtain compliance?

It’s not too late. Agencies should continue down the road toward PCI DSS compliance. The failure by a travel agent to comply with PCI DSS requirement will lead to the restriction on the use of credit cards in the BSP and other actions. The payment brands may levy fines but this is clearly outside IATA’s scope. Additionally, airlines may take their own actions (up to and including removal of ticketing authority).

If an agency missed the March 1 deadline, does it have to do any extra steps to become compliant now?

No, it is the same process.

Is IATA responsible for regulating who is and isn’t compliant? And what proof does IATA require from agents of compliance?

It should be noted that the PCI SSC is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council.

The only documentation recognized for PCI DSS validation are the official documents from the PCI SSC website. The PCI SSC website is the only source of official reporting templates and forms that are approved and accepted by all payment brands. These include Report on Compliance (ROC) templates, Attestations of Compliance (AOC), Self-Assessment Questionnaires (SAQ), and Attestations of Scan Compliance for ASV scans. Only these official documents and forms are acceptable for the purposes of compliance validation.

It should also be noted that depending on the merchant level, PCI DSS provides the option of doing an internal assessment with an officer sign-off. Mid-sized and smaller merchants may use the Self-Assessment Questionnaire found on the PCI SSC website to assess themselves.

Lastly, what advice would you give those who are still unsure about the process?

A good way to start is to visit IATA’s PCI DSS pages on IATA.org. Also, the PCI Security Standards Council manages programs that will help facilitate the assessment of compliance with PCI DSS: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). Visit their website at pcisecuritystandards.org.

Understanding that the process is complex, it’s important for agents to take this step to protect themselves, their customers and their business. The risk of data theft is an ever present reality for every business, and we all have a responsibility to do our part to try to prevent it.

Get travel news right to your inbox!