Travel Industry Review

PCI DSS COMPLIANCE REQUIREMENTS Q&A

RECENTLY, TIR readers were invited to submit their questions about PCI DSS and compliance requirements relating to IATA accreditation, which we posed to industry expert Clinton Leask, Senior Product Manager of Nedbank Acquiring, and to Janaurieu D'SA, International Air Transport Association Area Manager Southern Africa:

1. Retailers need to prove they are PCI DSS compliant to retain IATA accreditation. What if they choose to give up their license and ticket through a third party?

Clinton Leask (CL): "Ticketing through a third party will most likely not mitigate the need to become PCI DSS compliant. If you are a merchant who accepts or processes payment cards, you must comply with PCI DSS."

Janaurieu D'SA (JDS): "If an agency does not process credit card transactions, the travel agency must submit a declaration stating that, signed by the authorized signatory of the travel agency. The agency will not be required to provide compliance evidence, however, this information will be kept on file and once New Gen ISS resolutions are effective in a country, Travel Agency Credit Card form of payment will be switched off. All PCI DSS provisions will become effective and proactively enforced from March 1, 2018. Under NewGen ISS Program, there will be three levels and models of accreditation available: (www.iata.org/whatwedo/airline-distribution/Pages/newgen-iss.aspx). Under the current passenger sales agency rules, travel agents will need to be PCI DSS compliant to have access to credit card as a form of payment. In essence the accredited location will not automatically lose their accreditation if they are not PCI DSS compliant – they have other options to trade through the BSP."

2. If every participant in the sales chain must protect customers' payment card data, regardless of their size, how is PCI DSS compliance being policed in other sectors - accommodation, transport, aviation, etc?

CL: "PCI DSS compliance is required in all industries where payment cards are stored, transmitted or processed. There are various initiatives across various industries to ensure that all sectors are PCI DSS compliant."

JDS: "The Payment Card Industry Security Standards Council is responsible for managing the security standards for the payment card industry. PCI DSS is a global data security standard to protect confidential payment card information against theft. Airlines have demanded that IATA support their own internal compliance project by making the BSP card sales channel PCI DSS compliant. This is why IATA accredited travel agents now need to become compliant.

Each sector is responsible for their own compliance procedures."

3. Where do I start if I have done nothing? What is a merchant guide and how do I know what requirements apply to my business?

CL: "The best starting point is to navigate to the PCI Security Standards Council Site for merchants, www.pcisecuritystandards.org/merchants. There is a wealth of information available that is broken down into easy to understand aspects and requirements. Included are guides for any type of merchant from small to large that will guide businesses through the requirements. Travel agents should also speak to their acquiring bank who will guide the agent based on their PCI Level."

JDS: "Please check out our FAQs: www.iata.org/services/finance/Documents/pci-dss-faqs.pdf.

Read more about PCI DSS: www.iata.org/services/finance/Documents/pci-dss-overview.pdf."

4. What about corporate consultants who need to have customer credit card information on hand at all times? Where and how must this information be stored?

CL: "Certain payment card data like the Primary Account Number (PAN) can be stored but must be done securely using appropriate encryption or hash routines. Data such as the CVV/CVC is termed Sensitive Authentication Data and must never be stored after authorisation, even if encrypted. Requirement 3 of the PCI DSS standards refers to the storage of cardholder data."

JDS: "There is a common misconception that PCI DSS Compliance demands the end of the signed manual imprint. PCI DSS does not forbid storing the card number in a paper or electronic form, it only requires that storage be conducted securely. PCI DSS standards, establish that in the scenario of storing card details including on paper (card imprints), the travel agent should keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data storage: limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements; specific retention requirements for cardholder data; processes for secure deletion of data when no longer needed; and/or quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention."

5. What is the approximate or average cost to be audited and how do you find a reputable service provider to sign off on your PCI DSS processes?

CL: "The costs vary based on the size of the business and the complexities around how payment card data is handled. All Qualified Security Assessors are registered with the PCI Security Standards Council and you can verify the QSA by searching online at www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors

"Merchants should also speak to their acquiring bank who will also be able to supply a list of locally available Qualified Security Assessors."

JDS: "This is a commercial matter between the accredited travel agent and the service provider and is subject to various factors subject to merchant levels and compliance validation requirements. Nevertheless, IATA is looking at best possible alternatives to help agents be PCI DSS compliance."

6. How regularly do I need to show my business is compliant?

CL: "As a merchant that handles payment card data, PCI DSS becomes a daily aspect of your business. The PCI Security Standards Council has broken down the on-going steps for adhering to PCI into three steps:

- Assess - identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.

- Remediate - fixing vulnerabilities and not storing cardholder data unless you need it.

- Report - compiling and submitting required remediation validation records, if applicable, and submitting compliance reports to the acquiring bank and card brands you do business with."

JDS: "As part of the annual agency revalidation process, by no later than December 1 annually and pending PaConf approval, the agent must warranty continued compliance with PCI DSS, therefore an express renewal feature will help travel agents to easily comply."

7. If I only accept credit card payments over the phone, do PCI DSS requirements still apply to me?

CL: "Yes, most definitely. Over the phone transactions pose the highest risk for a merchant as details need to be captured manually and this makes it far easier for payment card data to be compromised. Where possible a merchant should accept payment card information electronically or via a secure portal making use of additional security like 3DSecure which validates the cardholder in the process. Nedbank have a solution available called DiVert which allows sending a single-use remote payment page to a cardholder to process the transaction securely and using 3DSecure."

8. What if my GDS is compliant?

CL: "A compliant GDS will help in your PCI DSS journey but does not remove the need for your business to become PCI DSS compliant if you handle payment card data. PCI DSS applies to all entities that store, process or transmit cardholder data."

9. IATA insists agencies in South Africa still need to use the CCCF (Credit Card Charge Form) system, which one TIR reader described as “a contradiction of the whole aim of PCI DSS. Is the problem that you aren't meant to be retaining a paper copy of someone's details?

CL: "A paper copy of payment card data can be retained provided it contains no Sensitive Authentication Data and is stored securely. Requirement 3 of the PCI DSS standards refers to the storage of cardholder data."

10. What will happen to my business in the event of a data breach?

CL: "A data breach can be costly and brand damaging. You may be liable for the costs of re-issuing new cards and for any costs attributed to fraud that may occur with the compromised card information.

In the event of a breach or suspected breach you must contact your acquiring bank immediately."

JDS: "The breach or theft of cardholder data affects the entire payment card industry with a knock-on effect. Agency potential liability [includes] lost confidence, so customers go to other merchants; diminished sales; fraud losses; higher subsequent costs of compliance; legal costs, settlements and judgments; fines and penalties; termination of ability to accept payment cards; going out of business."

11. We understand IATA is working on a system to manage credit card payments for airlines. Will this serve as an alternative to having to keep CCCF/authority from clients on file? Will it be automated? One TIR reader commented: "Although I shall be doing my compliancy through our bank, we need to find an alternative to doing CCCF/having a document to show either IATA or the banks that we received authority from the clients to deduct the air fare off their cards"

JDS: "IATA has been engaging with the Payments Association of South Africa and the card companies on the acceptance of the GDS Automation CCCF Solution that is currently used in other jurisdictions; this is primarily to facilitate efficiency of the process bearing in mind feedback provided above (see question 4)."

12. Who do we call or contact with questions about PCI DSS?

CL: "Agents should also speak to their acquiring bank who will guide them based on their PCI level and can supply a list of locally available Qualified Security Assessors. Additionally, merchants can search for a QSA by navigating to www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors."

13. IATA gave us the BSP system and it works for cash transactions. I can't see how it cannot be adapted to getting authority through same system for credit card transactions from the client. They should be assisting us in ensuring we are compliant, not just a piece of paper/certificate, as they are ones insisting we get compliant. What other practical help or resources are being made available?

JDS: "IATA have established a working group [consisting of] IATA, a technological partner, ECTAA, WTAAA, UFTAA and PCI DSS Council representatives [to] deliver a quick reference merchant guide, which is industry specific and delivers a PCI DSS Wizard tool. PCI Wizard helps simplify the process by walking the merchant step-by-step to certify compliance. The industry's first intelligent to do list tracks security gaps that need action within the flow of the agent's experience, to help them track action items necessary for compliance."