PCI DSS Compliance, Why?

IATA or the International Air Transport Association has already set its flight path to the digital stratosphere. By this it means taking the route of managing US$240 billion annually in ticketing transactions covering over 400 airlines and more than 60,000 travel agents globally into a system that encourages greater participation.

At present, the system it is using began about 46 years ago in Japan in 1971. It was the first Billing and Settlement Plan (BSP) system that enables an airline to receive payments electronically. This groundbreaking monolith of the airline industry is soon to be replaced by a successor called the NewGen ISS (IATA Settlement System).

The NewGen ISS has a four pronged implementation. Once fully rolled out, the industry will see travel agents of all sizes having an easier route to be full fledged accredited ticketing agents compared to the weighty requirements today. They are:

I. Travel Agent Accreditation - divided into three levels to ease the adoption by varying sized agents. This replaces the one-size-fitsall requirements as imposed now. One of the main benefits is that agencies with multicountry presence will be able to use just one Passenger Sales Agency Agreement.

II. Remittance Holding Capacity - a risks management framework. It designates payment limits that equate to outstanding credit available and calls for financial assessments only in predetermined PCI Security Standards Council, the international body that sets the standards and oversees the continuous development of the PCI DSS. conditions i.e. Cash or No-Cash Facility (see IATA EasyPay below) and Standard or Multi-
Country Accreditation.

III. Global Default Insurance - an optional but win-win solution when adopted. This is an insurance scheme provided by a third party insurer rather than IATA itself. It is highly suitable in place of the expensive Bank Guarantee. Among the salient points here is the possibility to eliminate collaterals as required by Bank Guarantee.

IV. IATA EasyPay - easier payment method like an e-wallet. It is as easy as swiping a personal charge or debit card anytime and anywhere because it filters first by verifying the available balance. Funds are remitted to the airlines within 48 to 72 hours. Stakeholders in Austria, Chile, UAE and the UK markets participated in the successful proof of concept stage.

Of all, the NewGen ISS shall give birth to a more secured environment to do business now that the Internet is widely accepted and where security encryption and technological protection are making the entire business cycle more efficient and foolproof. But it is impossible to go full throttle on NewGen ISS without first bringing the industry up to speed. To do that, travel agents receiving payments through credit cards must firstly comply to the PCI DSS (Payment Card Industry Data Security Standard). This is a strict prerequisite before being admitted into the NewGen ISS. A deadline has also since been confirmed by IATA’s Passenger Agency Conference Steering Group (PSG) for the compliance and it is not far away in March 2018.

But what if a travel agent refuses to be PCI DSS compliant?
“Your agency will be a non-IATA Accredited Agent and will not hold ticket stock of IATA BSP Airlines,” says Zarinah Hashim, MATTA Vice President for Air Transportation. “So let’s say a customer walks into your office and would like to buy a ticket on a specific airline, you might not be able to issue immediately as you have to get it from other IATA Accredited Agent.”

Fong Choong Fook, Director of LGMS or LE Global Services Sdn Bhd, shares that the “PCI DSS in general covers topics about protecting sensitive information such as credit card data and it also covers security best practices that can be applied in business.”

The unfortunate incident about noncompliance is that when a security breach occurs, the travel agency will be setback by US$500,000 for every incident. Of course this is just the beginning of a long drawn nightmare because IATA too will begin imposing more stringent audit requirements to remain an Accredited Agent, not forgetting the consideration to shut down the credit card facility.

Conversely, when a travel agent does comply, “Your agency is trusted with handling of passengers credit card data regardless whether they are local or international,” Zarinah points out.

For those eager to get on the compliance programme, Fong, who is also a Payment Card Industry Approved Scanning Vendors (PCI ASV) and Security Assessment Specialist with 20 years experience, classifies travel agencies as being under the Merchant categories and the four prevailing levels are segmented according to transaction volumes.

“For example, for Visa and Master, merchants with an annual transaction below 20,000 are classified as Level 4 Merchants whereas those greater than 6 million are Level 1 Merchants.”

Compliance is also determined by the organisation’s business operations, primarily about how payment made by cards are performed and how card data is managed thereafter. In general, for members of MATTA, compliance would suffice either as Self-Assessment Questionnaire (SAQ) C or D where C concerns “merchants with payment application systems connected to the Internet, no electronic cardholder data storage and not applicable to e-commerce channels”. SAQ D on the other hand deals with merchants receiving payments other than the most common payment methods like swiping at PIN terminals, own website etc.

Realising the hefty losses it may bring to the travel sector, MATTA conducted its very first PCI DSS Compliance Briefing on the 28th of March 2017 at PWTC in Kuala Lumpur, attended by over 130 participants, and then again on the 6th of April at Berjaya Waterfront Hotel in Johor Bahru. Dialogue sessions were also held in Sarawak on the 4th of April at MATTA Sarawak Chapter Office in Kuching and attended by 23 MATTA members & IATA representatives, followed by sessions in Miri and Sibu on the 17th of April. Following the Briefings, the Compliance Programmes were succinctly conducted on the 13th to 14th April at MATTA HQ in Kuala Lumpur. Participants at the Workshop were guided to a Self Assessment Questionnaire (SAQ) and to perform an initial PCI-ASV Vulnerability Scanning to identify the compliance gap (CG). Results from the CG facilitates the implementation of the relevant PCI controls to better safeguard their systems.

According to Elaine Yap of the Diners World Travel (Malaysia) Sdn Bhd, the PCI DSSCompliance Workshop has been an eye opener, “We learnt something new and understand indepth of what PCI DSS is. LGMS did a good job on the explanation of the whole process and we are now waiting to proceed to another level of compliance.”

Equally satisfied was Darren of Sunlida Travel & Tours Sdn Bhd, “The 2-day Workshop is educational of us first timer. It was a challenge
at the start because there were various types of travel agencies in the work group but LGMS managed to provide us with a solution.” He also lauded MATTA’s efficiency in organising the Workshop and the reasonable fee charged for it.

“The process of becoming compliant with the PCI DSS framework can be complex, costly and lengthy. With the economy slowing down, it’s a pain financially for the agent,” Zarinah expresses about the challenges the industry faces. However, “it is the responsibility of each agent as part of the credit card transaction chain to determine the exact applicable process that must be followed in order to obtain and maintain compliance with PCI DSS.”

As the airline industry have demanded IATA to support their own internal compliance project by making the BSP (Billing & Settlement Plan) card sales channel PCI DSS-compliant, our local travel industry is also not left with a lot of time. With full compliance expected in less than a year, travel agents must heed the urgency to comply or face the consequences of being removed as IATA’s Accredited Agent and thereby the ticketing revenue as well.


PCI DSS in Brief

  • The PCI SSC is responsible for managing the security standards for the payment card industry and covers the security of storage, processing and transmission of card data.
  • American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc took part in the creation of PCI SSC in view of the rapid adoption of online payments at the turn of the millenia.
  • A Board of Advisor is elected by more than 500 participating organisations including 21 organisations from the likes of Cisco to McDonald’s.
  • It is responsible for the development and enforcement of the compliance programme, setting the barometer for fines, acceptance of documentation, undertaking forensic investigation when data is compromised, validate scope of assessment as well as being on-site to conduct relevant assessment procedures.

Business Categories, based on Visa’s guidelines:

  • Level 1 - 6 million annual transactions and above.
  • Level 2 - 1 to 6 million annual transactions.
  • Level 3 - 20,000 to 1 million annual transactions.
  • Level 4 - Below 20,000 transactions.

Fast Facts

AoC - Attestation of Compliance; the only recognised document of PCI DSS compliance and IATA stipulates it must be signed by authorised PCI QSA.

PCI QSA - PCI Qualified Security Assessor validates a merchant’s setup against the PCI DSS compliance requirements and provides an AoC upon compliance.

PCI ASV - PCI Approved Scanning Vendor performs technical vulnerability assessment and scanning against a merchant’s network and infrastructure, ensuring no IT system vulnerabilities in the merchant’s business environment. AoC is provided upon compliance.

Time to Compliance - dependent on the current gap a business has against the PCI DSS compliance requirements.