The travel industry has been the target of a number of important data breaches recently, which has reinforced the notion that PCI DSS is much more than just a buzzword.
Just a few days ago, online travel agent Booking.com admitted that it is compensating customers whose personal details have been stolen.
Although the online agency says its systems have not been compromised, customers of hotels and guest houses listed on Booking.com were targeted. Users first received WhatsApp and text messages instructing them to change their passwords because they had allegedly fallen victim to a security breach.
Once they clicked on the link, hackers reportedly sent phishing emails asking them to send payment details for their bookings. The content of the emails was very well-written and included names, addresses, phone numbers, costs, reference numbers and booking dates.
Booking.com is not the only travel player to have been affected. The list of travel industry players that have been compromised at some point is endless and includes major names like Sabre and InterContinental Hotels Group.In March this year, travel booking website Orbitz also announced it discovered a potential data breach that exposed information for hundreds of thousands of customers.
Not only the big conglomerates are at risk either. Even the smallest travel agents hold important data about their clients that could be of interest to hackers.
It is important for customers to know that their data is being protected, because so many businesses are susceptible to data breaches, at their customer’s expense. Without the proper security measures in place, hackers could have access to your data and your customers’ data. PCI compliance is a certain way to improve the level of security.
What is PCI DSS?
Credit card companies have compiled the PCI Data Security Standard to enhance payment card security. All entities that store, process and transmit payment card data are required to adhere to PCI security standards, which are the technical and operational conditions to preserve payment card security.
As a minimum global data security standard, PCI DSS aims to protect confidential card and payment information against theft, fraud and other forms of data misuse.
How does PCI DSS impact on travel agents?
Travel agents have had to comply with Payment Card Industry Data Security Standards (PCI DSS) since 01 March 2018 or they stand to lose their ability to issue flight tickets on credit card.
One of the main obstacles for travel agents of becoming PCI DSS compliant has been the lack of knowledge on the topic. A lot of travel agents still don’t know why they should be PCI DSS compliant and what the process involves.
How can travel agents become compliant?
IATA has rolled out a PCI DSS Wizard tool for Travel Agents.
For the development and roll-out of this tool, IATA signed a referral partner agreement with Trustwave, a Qualified Security Assessor (QSA) by the PCI Security Standards Council.
The tool walks travel agents through the steps that are right for their business type, making it easy for them to understand what needs to be addressed, how to find the solution, and check off any task once it is complete.
After travel agents have completed the streamlined compliance process, the compliance status is sent back to IATA automatically on the agent’s behalf.
Travel agents can view and download milestone progress reports, download a Certificate of Compliance as well as the PCI Attestation of Compliance. They can display the Trusted Commerce® seal on their website to showcase their compliance to visitors.
Agents can register their TrustKeeper PCI Manager account by following this link.
Important to note is that the use of this tool to obtain PCI certification is not free of charge. Service descriptions along with pricing can be found on the IATA PCI DSS Certification Program page.
Who else can travel agents call or contact with questions about PCI DSS?
Agents can also speak to their acquiring bank who will guide them based on their PCI level and can supply a list of locally available Qualified Security Assessors. Additionally, merchants can search for a QSA by navigating to https://www.pcisecuritystandards.org/assessors_and_solutions/
What are the consequences of non-compliance?
IATA has listed the consequences of non-compliance as follows:
• Lost confidence, so customers go to other merchants
• Diminished sales
• Fraud losses
• Higher subsequent costs of compliance
• Legal costs, settlements and judgments
• Fines and penalties
• Termination of ability to accept payment cards
• Going out of business
If travel agents have any more questions about PCI DSS, they can visit the IATA FAQ page.