AGENTS must note that PCI DSS
compliance it is not just an Iata
issue. Agents are responsible
for compliance in every sales channel
through which they engage in card
transactions.
Industry players stress that agents
understand that PCI DSS is an ongoing
process and the responsibility to
maintain compliance rests with the
agency.
Six frequently asked
questions answered
1. As an ITC that tickets through
a consortium, I use a back-office
system and GDS that are compliant.
Do I need to do anything else to prove
my ITC’s compliance?
If the travel consultant is handling card
data they need to be PCI compliant,
says Clinton Leask, senior product
manager of Corporate Card Services
of Nedbank Limited. Agents must
still determine their merchant level
and complete a self-assessment
questionnaire (SAQ) to ensure they tick
all the boxes.
However, Iata expects that only one
SAQ is filled for all those point of
sales for which the head office has full
financial responsibility. “In this case,
you are only required to validate once
annually for all locations and submit
quarterly passing network scans by a
PCI DSS Approved Scanning Vendor
(ASV) for each location, if applicable,”
says Iata.
“One SAQ could be fine, depending
on the set-up and if the physical and
virtual locations where card data is
stored, transmitted or processed is
common,” adds Clinton.
ITCs who are unsure should contact
their consortium to determine which
procedures must be followed in
accordance with their business’s policy.
“Each merchant is different and
their individual set-up could alter
how the PCI compliance is viewed or
assessed,” says Clinton.
2. My agency wants to store credit
card data for recurring billing –
may we?
According to the official PCI DSS
website, the best way to store credit
card data for recurring billing is by
using a third-party credit card vault
and tokenisation provider. By utilising
a vault, the card data is removed
from the agent’s possession and the
agent is given back a ‘token’ that
can be used for recurring billing.
If agents need to store the card
data themselves, their bar for selfassessment
is very high and they may
need to have a QSA come on site and
perform an audit to ensure that agents
have all the controls in place to meet
the PCI DSS specifications.
An Iata spokesperson clarified that
the scope of PCI compliance was
only around credit/debit cardholder
data, not the source of merchandise,
services or products (in this case,
airline tickets). If the ITC gives its card
data directly to the consortium – in
person, over the phone, or entered
into the consortium web page – and
the ITC never sees that data anywhere
in their business environment, they
should complete SAQ A for merchants
with fully outsourced environments.
If the customer gives their card data
to the agent, then they would have to
complete a different version of the
SAQ.
3. May I accept or send credit card
data via applications like WhatsApp?
Forms and images containing
cardholder data are subject to the
PCI DSS. Requirement 3.4 states
that all cardholder data be rendered
unreadable, regardless of how the data
is stored or managed. To comply with
PCI DSS, the image and/or paper form
will need to be sent in a compliant
manner, which would include rendering
it unreadable (or protecting that
data with appropriate compensating
controls). Andrew Kirkland, ceo of
QSA, CyberTAN, advises against using
WhatsApp for card data. “Despite the
encryption used, this is simply not a
good security practice.”
4. Similarly, does this mean I can
send the CCCF to tour operators
when they want to confirm bookings?
Andrew says passing on data like
the CCCF is a tricky process and
should only be done if there is a valid
business justification for doing so
and, if both sending and receiving
parties are PCI DSS compliant.
“Communications must be encrypted.”
He says sensitive credit card data
cannot be stored unless there is no
alternative, in which case there must
be extra security measures in place.
5. May my agency record phone
conversations wherein card holder
data is transferred?
Recorded conversations where card
details are provided is a form of
storing information and in scope for
PCI DSS compliance, says Andrew.
Recorded conversations invite more
stringent requirements to comply with
PCI DSS, he says.
“The stored conversations should
be encrypted and stored separately
from the main system. Access to this
stored data needs to be restricted
and physical security measures
would apply.”
This would include the enforcement
of an auditable process where
authorised personnel would need
authenticated access to this data. File
Integrity Monitoring, intrusion detection
and prevention solutions are a few of
the other practices that would also
need to be in place, he adds.
6. So, may I share encrypted card
holder data with third parties, such
as hotels?
Where encrypted cardholder data is
shared with a third party, responsibility
for the data generally remains with
the entities with the ability to decrypt
the data or impact the security of the
encrypted data, PCI DSS states.
All third parties in the supply chain
need to be compliant says Andrew.
For example: The hotel’s booking site
needs to be PCI DSS compliant, ideally
passing this information to the hotel
in an encrypted manner. The hotel
receiving this will also need to be PCI
compliant and have its own policies
and procedures in place to handle this
data, he adds.
