Travel agents must comply with Payment Card Industry Data Security Standards (PCI DSS) by 1 March 2018 or stand to lose their ability to issue flight tickets on credit card. Are you prepared? Since 2006, PCI DSS compliancy has been a requirement that has been driven across all industries that accept card payments. As a minimum global data security standard, it stands to protect confidential card and payment information against theft, fraud and other forms of data misuse. We chatted to Elly Kwasi from Amadeus East Africa about the most pressing questions from agents surrounding PCI DSS.
Why is it so important for travel agents to comply?
We are currently living in an era of widespread worldwide cyber-crime threats. The reality is that businesses that are not PCI DSS compliant are putting themselves at risk. Without the proper security measures in place, hackers could have access to your data and your customers’ data. Your concern as a business owner today should be to make sure your business is secure and that you have all processes in place is to secure your business.
What are some of the main obstacles for agents to become PCI DSS compliant?
One of the main obstacles of becoming PCI DSS compliant is the lack of knowledge on the topic. A lot of travel agents still don’t know why they should be PCI DSS compliant and what the process involves.
What steps should agents keep in mind when trying to become compliant?
Travel agents need to understand that every system or third party they use to process credit card details needs to be PCI DSS verified. This includes any back-office accounting applications as well as online payment gateways and B2B wallets. Travel agents will also need to look at their own environment and ask themselves: am I using the latest updated browsers? Am I using the most updated software applications? Do I have an adequate firewall? These steps are part of the PCI DSS process that travel agents need to put in place. As Amadeus, we have certain minimum requirements for browsers. If travel agents want to access the Amadeus system, they’ll need the latest browsers, as these browsers have a higher level of security.
What are some of the biggest misconceptions travel agents hold when it comes to compliance?
Often travel agents think they don’t need to be compliant and will say things like: “I just take down the bookings over the phone and note down the credit card numbers on paper. I don’t need to be PCI DSS compliant.” Of course, this assumption is incorrect. Travel agents also often still have the bad habit of scanning a copy of the travellers’ credit card details or they store the details in an insecure Excel file. These are all examples of non-compliant behaviour and this behaviour will need to change. There is also often a lack of data back-up system, not properly storing customer data and information in a secure way and not having proper security measures and tools in terms of anti-virus and firewalls.
How can Amadeus help?
It’s important to remember that all bookings made on the Amadeus system are PCI DSS compliant. We also believe that education and communication is crucial when it comes to data security. It has become increasingly important for the travel industry and other industries to understand the challenges that come with an increasingly connected, online world. That is why Amadeus hosted cyber security workshops for the travel trade in both Kenya and South Africa last year.