Ask an expert
A FATAL hot-air balloon
accident earlier this
month, has highlighted the
importance of ensuring
clients are covered for
adventure activities.
This is because insurance
providers vary on the extent
to which such activities are
included in standard cover,
and bank and/or medical aid
cover don’t necessarily offer
the same cover as a travel
insurance policy.
On January 5, a hot-air
balloon carrying tourists
crashed near the Egyptian
city of Luxor, leaving one
person (a South African)
dead and 15 injured. The
traveller who died survived
the crash but succumbed
to his injuries while being
treated in hospital.
If the traveller had not
taken out travel insurance
he might have been covered
to some degree by his bank
and/or medical aid. Simmy
Micheli, sales and marketing
manager of TIC, told TNW:
“Credit card holders may
be covered for medical
expenses depending on
their bank’s specific cover.
If a traveller is engaging in
a hazardous activity it is
advisable to ensure what
their bank offers first. The
same goes for medical aid,
however, in general, personal
accident cover only features
in top-up options.”
All three key players in
the local travel insurance
market, namely TIC,
Bryte and Hollard, offer
emergency medical and
related expenses cover in
their standard policies in
the event of an adventure
activity accident such as
a hot-air balloon crash.
This includes pay-out
for medical expenses,
repatriation, repatriation
of mortal remains and the
accompanying partner and/
or children.
However, only TIC also
offers accidental death cover
in the form of a lump sum
that is paid as compensation
in the event of accidental
death during an adventure
activity. This is included in
TIC’s standard travel policy.
Because policies from
different providers vary, it is
advisable for travel agents to
always make sure that each
activity on a client’s itinerary
is covered by the policy
purchased. Agents should
also advise clients that
additional activities booked
while on holiday may not be
covered by the insurance
policy and agents should
ask clients to inform them
of any additional adventure
activities booked.
Simmy explains that
related expenses, included
in standard travel insurance,
refer to post-mortem,
embalming of the body,
transporting of the body to
a country where embalming
can be done if the country
where the death occurred
doesn’t practise embalming,
an approved coffin for
transporting mortal remains
and shipping costs.
According to Simmy, the
return of mortal remains
can cost between R250 000
and R500 000. The cost
of repatriation of mortal
remains depends on factors
such as the location, the
government regulations in
the country where the death
occurred and the government
regulations in the traveller’s.
Breaking down the basics
How does it affect me, the agent?
PAYMENT Card Industry Data
Security Standards (PCI DSS) is
a global data security standard
to protect confidential payment card
information against theft and fraud.
For authorisation to issue tickets
with the Customer Card Payment
Method, the agency must comply
with the conditions established
in Resolution 812 (NewGen ISS
Passenger Sales agency Rules),
818g (Passenger Sales Agency
Rules) and Resolution 890 (Card
Sales Rules), including PCI DSS
Compliance. Under Resolution
890, all agencies must be PCI DSS
compliant, notwithstanding if a BSP
is in place or not.
What is PCI DSS?
CI security standards are technical
and operational requirements set by
the PCI Security Standards Council
(PCI SSC) to protect cardholder
data. PCI DSS applies to all agents’
businesses that store, process, and/
or transmit cardholder data, and travel
agents are responsible for compliance
in every sales channel through which
they engage in card transactions.
Clinton Leask, senior product
manager of Nedbank Limited, says
PCI DSS compliance applies to the
point at which the card transaction is
initiated (travel agent), the systems
used to process the transaction (GDS
and payment service providers) and
the merchant who is accepting the
transaction (airline). All three parties
are involved in the card transaction. It
is incumbent on the travel agency to
verify the PCI status of each provider to
whom it delegates card payment-related
tasks, says Iata.
The security controls and processes
required by PCI DSS are vital for
protecting cardholder account data,
including the primary account number
(PAN) printed on the front of a payment
card. Travel agencies and anyone
involved with their card payments must
never store sensitive authentication
data after authorisation. This includes
data printed on a card, or stored on a
card’s magnetic strip or chip and PINs
entered by the cardholder.
A continuous process
PBecoming PCI compliant is not a
once-off requirement. There are
three ongoing steps for adhering
to the PCI DSS:
1. Assess: identifying cardholder
data and taking stock of IT
assets and business processes
for payment card processing –
checking for vulnerabilities that
could expose cardholder data.
2. Remediate: fixing
vulnerabilities and avoiding
storing cardholder data unless
needed.
3. Report: compiling and
submitting required remediation
validation records (if applicable),
and submitting compliance
reports to the acquiring bank and
card brands you do business with.
What do I need to achieve?
PCI DSS consists of commonsense
steps that mirror security
best practices agents need to
achieve and maintain to ensure the
protection of cardholder data.
The table presents the objectives
and 12 related requirements:
Agents will also need evidence
that compliance has been
achieved through an Attestation
of Compliance and/or a Qualified
Security Assessor assessment.
No one-size-fits-all
Compliance requirements differ from
agency to agency and are determined
by several factors, including the
financial institution, card brand,
size of the business and number of
transactions. All agencies will fall into
one of the four merchant levels based
on payment card transaction volume
over a 12-month period. Transaction
volume is based on the aggregate
number of transactions (inclusive
of credit, debit and prepaid) from a
merchant Doing Business As (DBA).
While the PCI Council is responsible
for managing the data security
standards, each payment card brand
maintains its own separate compliance
enforcement programmes.
