AGENTS operating within
the BSP who are not
Payment Card Industry
(PCI) Data Security Standard
(DSS) compliant by June 1
stand to lose their Iata
accreditation. Despite the
deadline looming, most agents
say they have no idea what PCI
DSS is and claim they haven’t
received notification from Iata
on the matter.
Otto de Vries, ceo of
Asata, confirms that
Iata recently sent out a
communication stating that
PCI DSS compliance will be a
mandatory condition to obtain
and retain accreditation as an
Iata Accredited Agent under
the Passenger Sales Agency
Rules in Resolution 818g.
He says this requirement has
not emerged out of the blue.
“Asata has been encouraging
compliance since 2008 and
gives members a document
explaining basics of PCI DSS
compliance when they join or if
the agency is up for renewal.”
This document is available
on the Asata website or upon
request.
The aim of PCI DSS
compliance is to enhance
payment card security. Agents
that store, process and
transmit payment card data
are required to adhere to PCI
security standards, which are
the technical and operational
conditions to preserve
payment card security. An
important part of PCI DSS
compliance is ensuring
the protection of sensitive
cardholder information.
Otto says, according to the
latest communication from
Iata, agents will be allowed two
breaches of compliance before
Iata suspends their ticketing
authority. The suspension will
continue until agents become
compliant.
But, because there is
confusion about what it
really means to be PCI DSS
compliant, industry players say
it’s imperative Iata outlines
what expectations agents
should meet to retain their
accreditation.
Md of Sure Viva Travels,
David Pegg, says although his
agency has certain safeguards
in place to ensure credit
card security, he’s not certain
which security standards
agents must meet to retain
accreditation.
“There’s a large portion of
the travel industry that isn’t
100% compliant,” says Marco
Ciocchetti, ceo of the XL
Travel Group, adding that it’s
likely they don’t know what is
expected of them.
Otto says there is a new
working group, comprising
members of the World Travel.
Agents Association Alliance
and Iata, who are creating a
handbook that defines what it
means to be compliant.
He says the success of PCI
DSS relies on all parties in the
value chain being compliant,
including the suppliers.
Unlike agents, most suppliers
appear to be ticking the
required boxes.
Amadeus’s GDS and
corporate booking tools have
been certified compliant by the
PCI Security Standard Council
in Europe for the past five
years, says Jannine Adams,
senior manager marketing and
communications of Amadeus.
“Beachcomber Tours has
firewalls. No unauthorised
access is given to cardholders’
details and our online payment
solution, Mygate is compliant,”
says Vito Polo, financial
manager. He says where the
tour operator may not be 100%
compliant “Beachcomber is in
the process of dealing with our
acquiring merchants in order
to ensure compliance by the
June 1”.
Lance Smith, executive sales
of Avis Budget Southern Africa,
also confirms that Avis Budget
Wizard car-rental system is PCI
DSS compliant.
Gaynor Von Loggenburg,
executive: sales and
marketing, says Bidvest Car
Rental’s systems are also
compliant.
As an initial step, Asata
recommends that agents
approach their financial
institution if they are a
merchant and process
transactions through a local
point of sale. If the agent
is not a merchant and
only processes credit card
transactions through the GDS
(the airline’s merchant), Asata
suggests agents contact every
credit card brand that they
engage with individually in
order to find what compliance
process is applicable.
Asata is also engaging with
Standard Bank in an attempt
to get additional information it
can share with its members.
