Payment Card Industry Data Security Standards (PCI DSS) is a global data security standard to protect confidential payment card information against theft. Airlines have demanded that IATA support their own internal compliance project by making the BSP card sales channel PCI DSS compliant. This is why IATA Accredited Travel Agents now need to become PCI DSS compliant. On this page you will find the procedure to follow to comply with this standard.
What is PCI DSS
The Payment Card Industry (PCI) Security Standards Council is responsible for managing the security standards for the payment card industry. There are 5 main payment card brands which took part in the creation of this Council: American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.
The Council operates in:
- Establishing and sustaining a worldwide data security standard with the aim to protect the card holders’ accounts information
- Minimizing the Data Security Standard (DSS) implementation costs and lead time
- Accommodating transparency, while giving the stakeholders the opportunity to contribute in the continued improvement, expansion and diffusion of the data security standards
- Listing all the global security providers in order to aid in the compliance process through ensuring that the main standards are understood and implemented correctly so as to create a secure payment solution
The PCI Security Standards Council affects a large number of people globally. It serves those who are working or are in association with payment cards such as:
- Merchants of all sizes
- Financial institutions
- Point-of-sale vendors
- Hardware and software developers who are responsible for building up and operating the worldwide infrastructure for processing payments
PCI DSS & Travel Agency Business
The breach or theft of cardholder data affects the entire payment card industry with a knock on effect where your customers lose trust in your own services as well as in the airline merchants and the acquirers and financial institutions standing behind them. A Customer’s credit rating can be negatively affected, which could lead to enormous personal fallout. Customer facing businesses and financial institutions lose credibility (and in turn, business) and they are also subject to numerous financial liabilities as a result of theft of cardholder data. Therefore, compliance to PCI DSS is mandated by the International Card Payment Schemes worldwide.
Why security is significant for the Agent?
The information that is being processed is of a very sensitive nature, hence, it is considered as a high priority for retailers to comply with PCI DSS standards. An agent that is not PCI DSS compliant, is not in a position to completely assure the security of their customers’ data, consequently, the agent will be vulnerable to Card Scheme fines, losses as a result of fraud, operational costs or even damages associated with reputation. Being PCI DSS compliant is in each agents’ best interest, not only because it secures the customers’ sensitive information or a particular financial situation, it also leads to a safer organization network – which is in many cases liable to poor system maintenance – giving cybercriminals the freedom to enter the system.
What are the potential liabilities that the agency will face?
- Lost confidence, so customers go to other merchants
- Diminished sales
- Fraud losses
- Higher subsequent costs of compliance
- Legal costs, settlements and judgments
- Fines and penalties
- Termination of ability to accept payment cards
- Going out of business
How to become PCI DSS compliant
IATA is committed to achieving the highest levels of PCI DSS compliance in a timely manner and welcomes all possible solution providers who can assist Travel Agents with this important cause.
To complete the process for PCI DSS Compliance, please follow below steps:
Step 1: Evaluate your agency card operations
These questions will help you in the process:
- What type of cards is your agency using (B2B/B2C Customer cards, Agent's own card, other types of cards)?
- What are the systems, and inventories in your agency where card details are processed and stored?
Step 2: Acquire evidence of PCI DSS compliance
IATA has signed an agreement with SecureTrust, a Qualified Security Assessor (QSA) by the PCI Security Standards Council, to obtain PCI DSS certification, you can:
- Use SecureTrust PCI Managerstep-by-step guide to complete the process & get evidence of PCI DSS compliance
- Or acquire evidence of PCI DSS compliance from any other certified PCI Security Standards Council partner such as Advantio, Travelport or Ubitrak, etc…
Step 3: Submit your PCI DSS Compliance through the IATA Customer Portal
- Log into the IATA Customer Portal
- Go to the “IATA Accreditation & Changes”
- Click on “Update your PCI DSS Compliance”
- Select your Agency code (Head Entity or Associate Entity) in Step A
- Select your PCI DSS Status in Step B. If applicable, attach the corresponding documentation
- Accept the Terms & Conditions and submit to IATA in Step C
A full visual PCI DSS compliance Self Service Step by Step Guide is now available to help you follow the above steps with ease.
Payment Card Industry Data Security Standards (PCI DSS) is a global data security standard to protect confidential payment card information against theft. Airlines have demanded that IATA support their own internal compliance project by making the BSP card sales channel PCI DSS compliant. This is why IATA Accredited Travel Agents now need to become PCI DSS compliant. On this page you will find the procedure to follow to comply with this standard.