As of March 1, 2018, IATA Accredited Travel Agents will need to comply with the IATA Resolution for PCI DSS Compliance, but what does that mean and why should you care? CT asked the Association of Canadian Travel Agencies (ACTA) to share some insight for the betterment of your understanding:
What is PCI Compliance and why is it important?
As of March 1, 2018, IATA Accredited Travel Agents will need to comply with the IATA Resolution for PCI DSS Compliance. PCI DSS compliance will be a mandatory condition to obtain and retain accreditation as an IATA Accredited Agent in all its Accredited location under the Passenger Sales Agency Rules in Resolution 818g. This mandatory requirement is to protect confidential payment card information against theft. Airlines have demanded that IATA support their own internal compliance project by making the BSP card sales channel PCI DSS compliant.
What do travel advisors need to know?
IATA extended the initial June 1, 2017 deadline to March 2018 after ACTA reported concerns from its members. ACTA, along with our global partners in the World Travel Agents Associations Alliance (WTAAA), lobbied vehemently for an extension following IATA’s announcement. It was agreed that for IATA to have made the announcement in Q1 of 2017 and expect that all IATA appointed agencies would be compliant by June 1, 2017, it was an unrealistic expectation. The process for an agency to become PCI DSS compliant can be a very complicated exercise, especially depending on the determined Level of the agency (number of credit card transactions). Agencies needed more information and more time in order to work toward this new requirement.
Agents seem to be confused about what specifically they need to do to meet requirements. In very simplistic terms, an agency needs to:
1) Determine their “Level” of Compliance. The majority of agencies are either Level 2, 3 or 4. A Level 1 agency has over 6 million transactions. Level 2, 3 or 4 agencies need to complete a Self Assessment Questionnaire.
2) Determine which Self Assessment Questionnaire they need to complete depending on how their conduct or transact business.
3) Ensure that your agency has in place the appropriate PCI DSS Policies and Procedures, applicable or tailored to your agency.
4) Ensure that training has been provided to your employees on your agency’s PCI DSS Policy and Procedures.
5) Complete the PCI DSS applicable SAQ.
6) Submit proof of your agency’s completed SAQ to parties that require it. For example, if you are an IATA appointed agency and you accept credit cards as a form of payment (this does not apply to agencies that do cash only sales), when IATA advises, you will be required to upload your document into your BSP portal as you do for your financial documents. Acquirers such as Elavon, may also request this document as proof of compliance.
Non-compliance could result in "2 instances of irregularity being recorded against your agency." What does having irregularities mean for an agency? Does this mean a fine? IATA recently circulated a note to IATA appointed agencies through the BSP Link that explained the distinction between Resolution 818g that talks about the “irregularities” and the movement to Resolution 812 that talks about Administrative Non-Compliance.
What are FAQs you've encountered?
The most asked question to date is: Is PCI DSS compliance required for all travel agents in Canada?
An easy answer would be "yes", however, it actually depends:
· If the agency is a merchant, they need to be PCI DSS compliant as per a requirement of their contract with the card brands (Visa, MasterCard, etc..) and their acquirer.
· If the agency is not a merchant but is IATA appointed and accepts credit cards, IATA requires the agency to be PCI DSS compliant.
· If the agency is not a merchant but is IATA appointed and does not accept credit cards, under Resolution 812, proof of Compliance is not requested from IATA.
· If the agency is not a merchant, and they are a TIDS appointed agency, they are not directly mandated to be compliant, however, the merchant(s) with whom they are affiliated will eventually ask them to follow all or some of the PCI DSS requirements as it will have an effect on the certification of the merchant (under the PCI DSS requirement 12.8).
While in some cases an agency may not be mandated to comply with PCI DSS, ACTA recommends that an agency undertake best practices to ensure that their clients' credit card data is protected at all times.
More FAQs can be found at this link: https://goo.gl/dpBqmi
To support this mandatory requirement, ACTA has a PCI Compliance toolkit (in both English and French) that offers ACTA members the resources and tools that are required to become PCI compliant. An important element in the toolkit is the online wizard (Accel-PCI) that was created in partnership with Accel-PCI, a Canadian owned company. The online wizard is designed to help travel agencies understand the PCI DSS requirements specific to their business type and easily apply it to your payment card transaction environment. Accel-PCI’s customized tool for the travel industry provides a step-by-step online format to addresses the three main steps to make it easier to understand what needs to be addressed in a progressive check-off format to indicate the requirements as they become complete.