WHEN a Johannesburgbased
agency began
its PCI DSS compliance
journey 15 months ago, its staff
and directors had no idea what PCI
DSS was. The level-four merchant
has since successfully maintained
its certification (for over a year)
and has received notification and
acceptance of its compliance from
Iata. Due to the sensitive nature of
PCI DSS, the agency has requested
to stay anonymous to protect its
clients and their data.
Ensure compliance across
systems
As stated by Iata, it is incumbent
on the travel agency to verify the
PCI status of each provider to
whom it delegates card paymentrelated
tasks.
“Like most agencies, we’d
developed our own safety methods
and just followed common sense
in how we dealt with clients’ credit
card details,” says agent A.
“On guidance from Iata, we
contacted our acquiring bank
as a first step toward official
compliance,” says agency owner
A. “Standard Bank advised us
that someone would contact
us with further information,” he
says. The next day, the QSA call
centre contacted the agency.
“The QSA later tested our existing
security systems for any potential
vulnerabilities.” Although the QSA
confirmed that the agency’s system
was secure, agent A had not been
satisfied with the results. “I wasn’t
sure whether we were ticking all
the boxes, especially since the
QSA had not tested the GDS and
our back-office solution,” he says.
“Agencies have to make
sure they comply with the PCI
requirements; we only assist
and guide them to do so,” says
Richard Henwood, business
development of QSA, Foregenix.
Consequently, the agency
contacted its back-office system
provider, which then assured him
that they’d be compliant by midFebruary.
“Travelport had helped by
informing us of its tech migration
from Transport Layer Security (TLS)
1 to TLS 1.2 and that agents may
need to upgrade the version of
Microsoft Operating System, .NET
Framework or Internet Explorer
from the one they currently use.
“Our local Travelport rep was
also very useful in answering
questions,” he adds.
However, not all travel industry
players are following the same
rules, says agent A. Agents may
be compliant in the systems
and processes involved in
airline ticket sales, but a small
guesthouse in the middle of the
Free State is not necessarily
going to be aware of PCI DSS
compliance, he adds. This is
especially a problem for agents
with government clients as their
options are limited when booking
accommodation in outlying areas.
Employee training is key
Old habits die hard and ensuring
our employees are all on the
same page is one of the most
important aspects of PCI DSS. “It’s
a continuous process,” says agent
A. The most important action of
enabling change is explaining the
why, he adds. “Once all our staff
understood the consequences of
non-compliance, it was common
sense that they had to follow
correct procedures.” The agency
hosted several workshops and brief
training sessions on compliance
to educate staff. “Agency owners
should ensure their staff confirm
their understanding of compliance
and sign-off on training sessions
to protect their business,” says
agent A.
Positives outweigh negatives
“The consequences of the
certification process have
empowered our business,” says
agent A.
“Our processes are more
streamlined, we’re managing risks
better and I can sleep better at
night knowing we’re compliant,”
he says. “The fines imposed for
non-compliance are in US dollars
and can put a small agency out of
business.”
The agency submitted its
compliance documents via the
Iata portal. “Iata responded saying
we were in the clear, provided the
company that certified our agency
was qualified to do so,” says
agent A. Agents can verify the
certification status of their QSA on
the official PCI DSS website. “Don’t
be afraid to ask for the QSA’s
certification licence,” he adds.
Top PCI DSS compliance tips
Andrew Kirkland, ceo of cyberTAN
shares some tips on compliance:
Don’t panic – your agency can
change – make sure you start
as soon as possible.
Get your QSA to help you
outline policy and procedure
documents that are visible to all
staff in the office.
Train your staff – Security
Awareness Training on a regular
basis helps minimise risk. Staff
are your weakest link. Give
them the knowledge to protect
the business.
Know your third parties as
intimately as possible and
don’t be afraid to ask for their
Attestation of Compliance
(AOC). You’re all part of the
supply chain and no one wants
to be the weakest link.
Have an incident response plan:
how do you and your staff react
when you are breached?
Run regular external
vulnerability scans, especially
if clients engage with you via
your web page. It’s also good
practice.
