TRAVEL agents have
until March 2018 to
comply with PCI DSS
requirements or potentially
lose their Iata licence.
Yet it appears that the
requirements for payments
by credit card for air tickets
could be in contravention of
PCI DSS.
The requirement for a
manual CCCF form, or
charge form, for transactions
where the credit card is
not present is the snag.
However, when TNW
approached associations
and institutions to establish
where the requirement
comes from, we were
pushed from pillar to post.
Agents explained to TNW
that if they did not retain a
hard copy CCCF form with a
card imprint and cardholder
details, should the client
dispute the transaction, the
funds are reversed.
“We suspect that the
requirements for CCCF
would place the PCI DSS
requirements for BSP ZA
under threat,” says Otto
de Vries, Asata ceo. “We
are currently investigating
to better understand
the situation in order to
determine the way forward.”
Md of Sure Viva Travels,
David Pegg, explains that
when a client disputes a
ticket purchase where the
card was not present, the
bank reverses the charge to
the airline. If the agent is
unable to produce a CCCF
with a card imprint and
signature, the airline issues
an ADM to the agent to the
value of the transaction.
Sharon Stander, md of
Go 2 Bangy Travel, says an
automated CCCF, without
the card imprint, would be
more POPI and PCI DSS
compliant because it does
not show the client’s full
credit card details. She
says this electronic version
is a better alternative to
the current manual version
required.
The use of a GDS-issued
electronic version of the
charge form that does
not require an imprint of
the credit card has been
approved in a number of
jurisdictions, says Janaurieu
D’Sa, area manager,
Southern Africa at Iata,
although he adds that the
client’s signature is still
required. He points out that
South Africa still requires
the physical charge form,
which requires the imprint
and cardholder signature.
“The need for a ‘card
imprint’/copy of the CCCF
is a Pasa (Payments
Association of South
Africa) requirement,”
says Janaurieu. “Iata
has been engaging with
Pasa on the change of
legislation to accommodate
the electronic format
through the BSP, however
this has currently been
declined due to the type
of transaction, which does
not include a cardholder’s
authentication. The CCCF
in this case becomes proof
of cardholder’s presence or
card authentication.”
However, Pasa ceo, Walter
Volker, says any card
imprint requirements are in
contravention of PCI DSS
and that Pasa does not have
such requirements.
At the time of publication,
banks had either declined to
comment, or not responded
to TNW’s questions.
