Travel Industry Review


IATA accredited retailers have until March 1, 2018 to comply with new Payment Card Industry Data Security Standards but other businesses in the supply chain are facing increasing pressure to review bookings and check-in processes to avoid off-selling.

Hotels requesting a copy of the front and back of a client's credit card to guarantee a reservation will need to adjust this practice if they want to comply, said Clinton Leask, Senior Product Manager of Nedbank Acquiring.

He said, although hotels are allowed to ask for a copy of the front and back of a client's card, the practice is not PCI DSS compliant and is not encouraged by Nedbank.

"If the hotel receives an emailed image of the front and back of the card, how are they keeping this information secure? What is stopping one of the employees from forwarding that email to someone else?"

Unlike travel management companies, which need to be PCI DSS-certified by March 31, 2018 to retain their International Air Transport Association accreditation, hotels only need to be PCI DSS-compliant already. If they fail to become compliant or have security breaches, they could face hefty fines from their financial institutions, Mr. Leask explained.

"The bank will be fined and this fine can be passed directly onto the merchant, in this case the hotel or TMC." said Mr. Leask. "This is covered in the terms and conditions when the merchant signs up to acquire card transactions."

Angus Macmillan, from City Lodge, explained, where possible, City Lodge used PCI DSS-compliant partners to process cards on group's behalf.

Bryan Mulliner, Strategic Development and Revenue Director of Protea Hotels and African Pride, said Marriott International had dedicated IT security teams to analyse current threats and implement risk-reducing strategies to protect sensitive data.

Most banks and card issuers have solutions so hotels never actually have to see or store clients' card numbers. Nedbank recently introduced Nedbank DiVert, a solution that allows hotels to send an invoice securely and directly to the TMC by email, asking for payment without the hotel seeing the card number. DiVert can also be used by any other type of merchant.

Mr. Leask said PCI DSS aimed to ensure anyone keeping credit card numbers on record did so in a safe way.

"If you think of it from a personal point of view, if you gave your credit card details to pay for a monthly subscription, would you want the service provider to write your card number down on a piece of paper and leave it lying on a desk? No, I would suspect that you would want it kept in a very secure location and used only once a month for debiting your account."

By last month, IATA was still sticking to its March 1, 2018 implementation date.

Most of the major retail consortia contacted by TIR have already started working through the compliance process. Members were being updated, although solutions and third-party partners varied from business to business. There was still widespread confusion amongst independent agencies about their responsibilities and what additional safety steps they had to have in place if, for instance, their GDS was PCI DSS compliant.

  Harvey World Travel Franchise Support Team Product Manager, Monica Horn, said the company had contracted a specialist third-party, Foregenix, to assist and that there had been members who were still unsure of the requirements.

Ashley Wainer, Travelstart IT Service Manager, commented: “Our road was a long and lengthy information gathering process to establish where our possible vulnerabilities lay and how we could fill the voids to secure our environment.

"After completing the Self-Assessment Questionnaire, we realised although we ticked the majority of the boxes to be compliant, there was still more we could do. One thing I would say you should consider on this journey [is]: What would the impact of a breach cost [you] as a company, not only financially but also in reputation? This is crucial, as sometimes having one's name tarnished is far worse then any financial penalty."

Association of Southern African Travel Agents Chief Executive Office Otto de Vries said last month IATA's March 1 deadline would be hard to reach.

"ASATA is constantly engaging with IATA and involved in the development of the PCI DSS wizard, the small merchant guide and a roadmap for compliance. However, we don't believe that, based on the work done to date, the deadline of March 1, 2018 set by IATA, can be achieved."

IATA has produced a FAQ for retailers here:

A dedicated webpage related to PCI DSS & Travel Agents Compliance Requirements, which is being updated periodically, is available here: