As fraudsters deploy increasingly sophisticated tactics targeting agency transactions, travel consultants are being urged to step up payment security measures.
Industry leaders warn that many agents overestimate the protection offered by Signature on File (SOF), leaving them exposed to costly ADMs and chargebacks. Agencies are being urged to prioritise Payment Card Industry Data Security Standard (PCI DSS) compliance and implement 3D Secure (3DS) verification.
“Scams have become more elaborate,” Rachael Penaluna, MD of Sure Maritime Travel, told Travel News. “Fraudsters are sending out AI-generated invoices asking for payment to known agency suppliers, while direct mobile phone banking scams and computer hacking are prevalent now.
“If an agent processes a transaction on a stolen or fraudulent card, the agent has no recourse unless they are compliant and have got prior authorisation from the relevant bank.”
SOF not a ‘safety net’
Otto de Vries, CEO of the Association of Southern African Travel Agents (Asata), explained that SOF and PCI DSS were minimum requirements and offered agents less protection that they might realise.
“SOF has its place, but travel advisers need to understand what it does and does not cover,” warned De Vries.
“Where a physical signature cannot be obtained, a travel adviser may record 'Signature on File' on the charge form, provided a valid signed cardholder mandate exists. But SOF does not protect a travel adviser from a chargeback if 3D Secure was available and not used. The mandate is not a safety net.”
Regarding PCI DSS compliance, which is a mandatory condition for IATA accreditation, De Vries notes that agents are often caught out for storing CVV numbers on their charge forms.
“CVV numbers cannot be stored under any circumstances, not on a signed mandate, not in a spreadsheet, not in any form, even if encrypted. Many agents running SOF workflows simply are not aware of this.”
3DS verification essential
Industry experts say 3D Secure verification remains the most effective protection for agencies processing remote payments.
Penaluna said: “A 3D transaction is high security, with an added layer of verification; for example, an OTP via a banking app or a payment link.”
This is considered the ‘gold standard’ for travel agents because if a transaction is authenticated by 3D Secure 2.0 (3DS), the liability shifts from the travel agent to the card-issuing bank.
“So, even if a client later claims they did not make the purchase, the bank covers the loss because the transaction was verified,” explained Penaluna.
However, De Vries acknowledged that, in practice, 3DS was not supported across all GDS platforms and that some airline SOF workflows did not accommodate it. For this reason, it is important that agents know when 3DS is essential and what administrative assurances, in accordance with SOF and PC DSS, must be in place in other situations.
“Where a customer is unknown, is a first-time caller, or where the booking presents any standard risk signal – last-minute, high-value, international, or a mismatch between cardholder and traveller details – 3DS must be used. No exceptions,” emphasised De Vries.
He advised that SOF might be acceptable to process transactions for very specific groups of clients, such as a well-established corporate clients with an annually renewed written mandate.
“Beyond 3DS, agents should retain authorisation codes for every transaction and consider payment link solutions for remote bookings. These allow the cardholder to enter their own details directly, removing the agent from the cardholder data environment entirely and enabling 3DS routing,” he said.
Continuous training required
Emilene Rangayah, Director of Emilene’s Travel Services, explained that, for ITCs working remotely, the challenge was applying the rules consistently, often without the oversight structures of a larger corporate office or consortium.
“Consortia need to be there to tell us about all of these things and inform us about the best transactions verification processes, how to be compliant and how the ADMs and chargebacks work, and not just in once-off training, but continuously, as the environment changes and we are expected to adapt,” said Rangayah.
Asata recommends that training focuses on four areas:
- SOF mandate discipline: Any adviser processing a manual SOF transaction must hold a signed mandate, and that mandate cannot contain CVV data under any circumstances.
- Fraud recognition: Last-minute high-value bookings, customers indifferent to price, split payment requests, and cardholder-traveller mismatches are all red flags.
- The chargeback and ADM chain: When a dispute is raised, the card issuer charges back the airline, who then issues an ADM to the adviser. The time to prevent an ADM is before the transaction is processed, not after.
- Documentation: Travel advisers must retain charge forms or electronic records for a minimum of 13 months and ensure clients have acknowledged terms and conditions before payment is taken.
“Fraud tactics change. Regular update sessions instead of annual tick-box exercises are the only way to keep ITCs genuinely current,” said De Vries.
“Asata will continue to engage with IATA, the card schemes and other stakeholders to ensure agents have the tools, guidance and support they need to transact safely.”
