PCI DSS compliance deadline has come and gone, but questions remain

This story originally ran in the May 3, 2018 issue of Travelweek magazine. To get Travelweek delivered to your agency for free, subscribe here.

TORONTO — An agent who reached out to Travelweek said it took him about a week to get PCI DSS compliant. Asked how he would rate the level of difficulty to become PCI DSS compliant, with 1 being relatively easy and 10 being extremely difficult, the agent responded with an emphatic ‘10’.

More than two months have passed since the March 1 deadline for travel agencies to become PCI DSS compliant.

The agent who reached out to Travelweek said he completed the compliance process with the help of Trustwave, one of many PCI compliance companies on the market today. Trustwave, the agent said, was cheaper than Accel PCI (the company recommended by ACTA), and though it was difficult at first to make contact with its support team, Trustwave did, in the end, prove to be “very helpful”.

However, the agent added, “easily understandable instructions were not available”, and “the terminology used in instructions and questionnaires cannot be readily followed by laypeople.”

This was common feedback from agents and agency owners who also couldn’t make heads or tails of the compliance process. Mandated by IATA, PCI DSS compliance (which stands for Payment Card Industry Data Security Standard) is meant to protect confidential payment card information against theft. However, with complicated instructions, high fees and a lengthy process, becoming compliant seemed to be more trouble than it was worth.

Said Heather Craig-Peddie, Vice President, Advocacy and Member Relations at ACTA: “The primary concern expressed by ACTA member agencies was the lack of clear instructions from IATA on what information needed to be submitted, how this information was to be submitted, and most importantly when the information needed to be submitted.”

IATA announced back in 2017 that proof of PCI DSS compliance (which stands for Payment Card Industry Data Security Standard) was a mandatory requirement for IATA-appointed agencies by March 1, 2018. However, specific details on the what, how and when were only sent to agencies through a BSP link around March 22, 2018, three weeks after the deadline, said Craig-Peddie. “The concern from agencies was that they would receive a notice of non-compliance, perhaps receive a penalty or, worse, have their ticketing ability restricted.”

The other major concern expressed by ACTA members, she added, was the confusion around who can perform or submit an Attestation of Compliance (AoC) for the agency. An AoC is a certification that shows that agents are under the eligibility to perform the Self-Assessment questionnaire (SAQ), which must be completed to achieve compliance.

IATA speaks to a list of Qualified Security Assessors (QSA), but the majority of agencies fall into the Level 4 Merchant Level category, which includes any merchant who processes fewer than 20,000 e-commerce card BSP, and all other merchants (regardless of acceptance channel) who process up to six million card transactions per year. Level 4 merchants do not require the involvement of a QSA unless otherwise requested from their acquirer.

Despite all the confusion, Craig-Peddie is confident that ACTA did everything they could to prep its members on what they needed to do to become compliant and by when.

“ACTA and the ACTA team dedicated a tremendous amount of time and resources to get the word out to members based on what we understood of agency expectations from IATA,” she said.

Not only did ACTA host webinars (available as ‘on demand’ for members in ACTA’s Members Only area on its website) in both English and French in July 2017 and January 2018, it also worked with Ensemble to host a webinar for Ensemble members in both languages. Plus, ACTA provided regular updates on PCI DSS Compliance through ACTAVision and trade media partners.

But as with any new policy that’s difficult to comprehend, there will always be lingering questions and concerns. Here are a few that Craig-Peddie answered for us:

Is it the end of the world if an agency misssed the compliance deadline?

“No, it’s not the end of the world. IATA was not ready to receive any proof of compliance for the March 1 deadline. When IATA did start sending out notices to IATA-appointed agencies, the communication states a 30-day period to comply.”

If an agency is stripped of their Customer Card Payment Method for being non-compliant, how quickly will it be restored?

“At this time, it is unknown how quickly IATA will remedy the situation. We know that failure to comply with these requirements per IATA’s request will result in an Administrative Non-Compliance and the agency is given 30 days to remedy the situation. If the agency has not demonstrated to IATA’s satisfaction that the reason for the Administrative Non-Compliance has been remedied, IATA will:

  • Immediately restrict the agent’s use of the Customer Card Payment Method, and;
  • Such restriction will remain in place until the agent has demonstrated to IATA’s satisfaction that the reason for the Administrative Non-Compliance has been remedied.

“If the agency receives a notice of Administrative Non-Compliance and receives another 30 days to remedy the situation, it is unknown to ACTA how quickly IATA will enforce the requirement not how quickly they will remedy the situation once restored.”

If an agency is penalized/fined for not being compliant but eventually remedies the situation, will there be a permanent ‘flag’ on their record, so to speak?

“ACTA is not aware that this information will become public. However, an agency’s compliance status will be shared with IATA member airlines and the individual airlines could determine whether they will continue to transact with that agency.”

Why do agencies have to be compliant every year?

“This requirement is for all merchants under the rules outlined by the PCI DSS Council (the credit card companies). IATA has simply decided to include this mandatory merchant requirement in their rules.”

If an agency is charged a late fee, who does the money go to?

“If an agency receives a notice from IATA of a penalty due to an Administrative Non-Compliance, then that money would go to IATA. In addition, agencies may receive a monthly Non-Compliance fee from their merchant provider or Acquirer (ie. Moneris, First Data, Elavon, etc.)”

If an agency is non-compliant and there’s an incidence of fraud with a client, is the agency on the hook?

“ACTA cannot confirm the specific action that would be taken on the agency, however, with ACTA’s involvement with the Canada Travel Fraud Prevention Group, we know that typically it is the agency that is on the hook for incidences of fraud. ACTA understands that if an agency is non-compliant, the credit card companies could impose a penalty (from $5,000 to $100,000) to the acquiring banks, and this fine would eventually be passed onto the merchant.”

How are agents supposed to keep credit card authorization forms without violating PCI?

There are ways to store client data without violating PCI compliance. This information is available to agencies going through the process to become compliant and the accompanying training. ACTA has information available in the Members Only section of its website at www.acta.ca/PCI.

Get travel news right to your inbox!