The consequences of non-compliance

14 Feb 2018

IN MARCH 2017, Iata extended

the deadline of PCI DSS

compliance in BSPZA until

March 2018. Non-compliant

agents will lose the ability to

issue tickets with the Customer

Card Payment Method. They also

place themselves at risk of large

fines and far-reaching reputational

damage.

Non-compliance means no

card sales

Agencies that do not comply

with the conditions established

in Resolution 812 (NewGen ISS

Passenger Sales Agency Rules),

818g (Passenger Sales Agency

Rules) and Resolution 890 (Card

Sales Rules), including PCI DSS

Compliance, will not have access

to credit card as a means of

payment.

Once the deadline is enforced,

agents will be required to produce

proof of compliance on an annual

basis in line with the Resolutions

says Janaurieu D’Sa, area

manager, Southern Africa of Iata.

But the accredited agency

will not automatically lose its

accreditation if it is not PCI DSS

compliant – the agency has other

options to trade through the BSP,

says Janaurieu. If an agency opts

out of processing credit card

transactions under New Gen ISS,

the travel agency must submit

a declaration signed by the

authorised signatory of the travel

agency and would not be required

to provide compliance evidence.

But this information will be kept

on file, and once New Gen ISS

resolutions are effective in a

country, travel agency credit

card form of payment will

be switched off.

However, this decision

would affect agencies’

licence guarantees with

Iata.

Iata’s enforcement

expectations

Effective March 1, Iata will

initiate the enforcement process

by seeking validation of Iataaccredited

agents’ compliance

evidence. “Formal communication

will be issued with expectation

of submission of proof of

compliance and timelines for

submission,” says Janaurieu.

According to Iata, no specific

limit to the number of breaches

of compliance applies.

Once compliance has been

breached, agents would need

to resubmit proof of their

compliance. Once proof has

been resubmitted, credit cards

as an option of payment will be

activated in the system.

More than an Iata issue

Nedbank maintains PCI

compliance is in line with the

Payments Association of South

Africa (Pasa) requirements, says

Clinton Leask, senior product

manager of Corporate Card

Services of Nedbank Limited.

He says Pasa has mandated

that only Level 1 and breached

merchants need to prove their

compliance.

“However, all merchants – and

banks – are to ensure they

adhere to PCI DSS and it should

be noted that your acquiring bank

or card schemes, such as Visa

and MasterCard, can request

proof of PCI compliance at any

time,” he says.

Compromised data –

monetary and reputational

risks

Non-compliance with PCI DSS has

other risks outside the ambit of

Iata. Richard Henwood, business

development of QSA, Foregenix,

says the worst consequence of

non-compliance is to have your

data security compromised.

“As mentioned, in line with Pasa

requirements, only Level 1 and

breached merchants need to

prove their compliance. However,

if a merchant is breached and

has not adhered to PCI DSS,

the merchant may be liable

for all fines, penalties, cost of

card replacements and fraud

committed,” says Clinton. “A

merchant also needs to consider

brand and reputation damage

that will transpire,” he adds.

The payment brands may, at

their discretion, fine an acquiring

bank $5 000 to $100 000 per

month for PCI compliance

violations. The banks can

pass this fine along until

it is passed over to the

merchant.

The bank will also

likely either terminate its

relationship with the merchant

or increase transaction fees.

Richard says compromised data

can also lead to a merchant

automatically being raised

to a Level 1 merchant which

would mean it would have to be

assessed by an on-site QSA,

which is costly.

In addition, the merchant could

bear the cost of an expensive

forensic investigation, he says.

“Your small to medium travel

agency would probably go out of

business.”

“In the past, we’ve seen Level

4 merchants shut their doors

because the cost of the breach

and to regain compliance was

too high,” says Andrew Kirkland,

ceo of QSA, cyberTAN Information

Security, “while others pushed

through, put a plan in place,

stuck to their guns and are well

on track.”

But consequences may depend

on each unique case. “It also

boils down to the leniency of the

card schemes, banks and Pasa,

versus the severity of the breach

or length of time to become

compliant,” says Andrew.