The International Air Transport Association (IATA) is now requiring that its accredited travel agencies comply with the PCI Data Security Standard (PCI DSS) to protect payment data. PCI SSC International Director Jeremy King discusses payment security risks for the travel industry and how PCI DSS can help businesses protect themselves.
Can you talk a little bit about the IATA PCI DSS mandate and what it means for the travel industry?
Jeremy King: The travel and hospitality industries are sectors that come under repeated and targeted attack from global organized criminal gangs, primarily because they offer a large number of opportunities to gain access to significant quantities of card payment data. That IATA is now requiring its members to become PCI DSS compliant is a fantastic step forward for the entire travel industry and the PCI SSC will do what it can to help.
How is the travel industry at risk for payment data theft?
Jeremy King: So as we are now into the holiday season, let’s take the example of booking a holiday trip. I can visit a physical travel agent, or go to an online agency. I can also speak to them on the telephone, so that is three different methods of interaction. Now if I want to book a holiday which will require air travel, hotel, transport, car hire, activities, and insurance, I have just potentially added another six different companies that will need my card payment details. With so many parties involved, and different methods for accepting and processing payment data, there are multiple points throughout a transaction process where payment data is at risk if not secured.
What are some of the challenges you see specifically for this industry when it comes to payment security and data protection?
Jeremy King: An overwhelming majority of travel agents are small merchants, with limited IT security skills. Depending on their experience and how they are set up, their handling of cardholder data can range from writing it on a piece of paper to entering it into a website. Of course the challenge then is just how they are securing that card data. And unfortunately in many cases they are not. What is worse, the travel agent can make the booking using different travel company details, so the acquiring banks do not even know who they are.
What tips can you offer to travel agencies when it comes to implementing PCI DSS?
Jeremy King: My top tip is to first understand exactly how you are accepting and processing card payment data. You cannot make it secure if you do not know where it is and how you are handling cardholder data. The next step is to fully understand all the different parties you share this information with and how. Is it online, via telephone, fax or do you only accept payments through an approved PCI PIN Transaction Security (PTS) payment device? Once you understand these basics you can start working out how to make yourself secure. Develop a project plan and share that project plan with both your acquirer (merchant bank) and IATA. That way they can see as you make progress.
What resources do you recommend to these organizations in getting started with PCI DSS?
Jeremy King: Well the good news is that help is at hand, and especially for the small travel agents. The PCI Payment Protection Resources for Small Merchants are going to be an invaluable help and can be downloaded from our website here.
The PCI SSC also has lots of other very helpful guidance and resources – get started by visiting our merchant page here.
Finally, PCI SSC will work closely with IATA to help improve the security of the travel industry so that we can all enjoy our holidays safe in the knowledge that our card payment data is secure.