Payment Card Industry (PCI) Data Security Standard (DSS) compliance

In reference to advice given to IATA concerning the risks associated with payment card transactions and potential data breaches, there is a need to confirm the compliance of Accredited Agents operating within the BSP to be Payment Card Industry (PCI) Data Security Standard (DSS) compliant.

Effective 1 June 2017, PCI DSS compliance will be a mandatory condition to obtain and retain accreditation as an IATA Accredited Agent in all its Accredited locations under the Passenger Sales Agency Rules in Resolution 818g. Non-compliance with PCI DSS security standards could result in 2 instances of irregularity being recorded against your agency.

WHAT IS PCI DSS 

American Express, Discover Financial Services, JCB International, MasterCard, and Visa are the founding members of the Payment Card Industry Security Standards Council . The Council’s mission is to enhance payment card security by fostering broad adoption of the PCI Data Security Standard for merchants and processors handling sensitive payment card information. The Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection, and it provides common data security standards on a global basis to protect confidential payment card information against theft. All entities that store, process and transmit payment card data are required to adhere to PCI security standards, which are the technical and operational conditions to preserve payment card security. 

WHAT DOES PCI DSS COMPLIANCE MEAN TO ME AS AN AGENT

The breach or theft of cardholder data affects the entire payment card industry with a knock on effect where customers lose trust in merchants or financial institutions, customers credit can be negatively affected, which could lead to enormous personal fallout. Merchants and financial institutions lose credibility (and in turn, business) and they are also subject to numerous financial liabilities as a result of theft of cardholder data. Therefore, compliance to PCI DSS is mandated by the International Card Payment Schemes worldwide. When you accept card transactions on your own merchant agreement and/or conduct BSP card transactions, you therefore fall under such PCI DSS compliance obligations. 

RELEVANCE OF PCI COMPLIANCE FOR TRAVEL AGENTS

There is a need to ensure PCI DSS compliance in the community of IATA Accredited Agents. PCI DSS compliance benefits all parties in the distribution chain by ensuring that sensitive payment card data is handled confidentially for the protection and benefit of consumers. PCI DSS compliance is a requirement reflected in Resolution 890 of the IATA Passenger Agency Conference. 

THE ROLE OF IATA IN PCI DSS COMPLIANCE 

IATA supports PCI DSS compliance by requiring that industry communication channels like BSPlink and the data processing systems are PCI DSS compliant. Additionally, IATA sets standards where payment cards are used as forms of identification or as forms of payment in self-service common use terminals (such as check-in kiosks). Finally, IATA demands that all its service providers be PCI DSS compliant and annually provide IATA with evidence of valid compliance.

FOR MORE INFORMATION ON HOW TO BECOME PCI DSS COMPLIANT 

To support current and future IATA Accredited Agents to learn more about how to become PCI DSS compliant, obtain evidence or re-validate compliance, please visit: www.iata.org/pci-dss