CRACKS are appearing
in Iata’s requirement for
agents to be Payment
Card Industry (PCI) Data
Security Standard (DSS)
compliant by March 2018 in
order to retain accreditation.
Issues regarding non-compliant
payment processes; a lack
of communication from Iata
and other key stakeholders;
and concerns around
implementation dates, have all
come under the spotlight.
The PCI DSS is a global
standard that applies to all
entities that store, process,
and/or transmit cardholder
data. A key part of compliance
is the protection of sensitive
cardholder information.
In February, Iata initially
announced the requirement as
a prerequisite (by June 1)
for agencies that process
credit card sales to retain
Iata accreditation. In April,
the association extended the
deadline to March 2018.
In a recent poll conducted
by eTNW, 65% of respondents
said they “had no idea” about
PCI DSS compliance. On the
other hand, agents who are
aware of PCI DSS say there
are serious concerns around
how compliance must be
implemented.
One of the biggest issues
is the use of credit card
charge forms (CCCF). The
CCCF is a requirement by
the card-issuing companies
that has been incorporated
into local regulations, says
Janaurieu D’sa, area manager,
Southern Africa of Iata. It is a
requirement by the Payment
Association of SA (Pasa) to
prove card present transactions
in the local market
“Airlines can ask agents at
any stage to prove that the
client has agreed for his card
to be charged. Up to now this
was done through producing a
signed imprint of the card, the
CCCF,” says Milan Wild, gm of
American Express Travel and
Tours.
Under PCI DSS, this would
need to be changed and
agents must be advised what
other acceptable form of proof
should be used and how it
should be stored, Milan says.
The CCCF is a prerequisite
in all markets that process
credit card transactions
through the BSP as per
Resolution 890, says
Janaurieu. He says a majority
of jurisdictions have approved
the use of a GDS issued
electronic version of the CCCF
and that Iata is engaging
with Pasa to introduce the
electronic CCCF locally.
However, he adds: “PCI DSS
compliance is still achieved
in both versions through
respectively prescribed
processes.”
Gm of Travel Counsellors
South Africa, Mladen Lukic,
says although PCI DSS
compliance is good for the
industry, there are levels of
compliance that rest outside
the ambit of the agency.
Mladen says the industry
awaits Iata’s view on how
far down the distribution
chain it expects agents to be
responsible for compliance
in order to retain their
accreditation.
According to the PCI council
website, each payment
card brand maintains its
own separate compliance
enforcement programmes and
stakeholders are required to
check with their banks. Chris
Cromhout, owner of Ditshaba
Travel, says he did this with
his credit card supplier, Amex,
but was only told that the
software he uses through
Nedbank was compliant.
Amex had not commented at
the time of publishing.
Ceo of Asata, Otto de
Vries, says a PAPGJC project
team, including a PCI council
rep will, within the next six
months, design a road map
to compliance for agencies.
The team will also deliver a
travel agent small merchant
guide by October, says Otto.
Locally, Asata will devise a
shared action plan for Asata
travel agents to assist them
in becoming compliant.
But, Otto says: “If the guide
is only ready by October and
the road map is only delivered
in the next six months, I
suspect that nobody honestly
thinks March 2018 is still an
achievable deadline.” He adds
that a PCI representative at
the PAPGJC meeting earlier
this month said the council
had not seen any other sector
reach compliance in less than
18-24 months.
He says the trade is the
only industry being forced
into compliance. As much
as the PCI council provides
a standard best practice for
compliance, it isn’t enforcing
it on any industry, however
Iata is forcing the travel
industry into compliance by
imposing resolutions on the
trade, Otto says.
Iata told TNW the industry
needed to be aware that
compliance, and whether
the agency would retain its
accreditation, only applied to
credit card sales.
“If an agency doesn’t
process credit card
transactions, it may submit
a declaration that will state
that, and should be signed
by an authorised signatory of
the agency. Such agencies
won’t be required to provide
compliance evidence, however
this information will be kept
on file and once New Gen ISS
resolutions are effective, the
agency’s credit card form of
payment will be switched off,”
says Janaurieu.
