An unprecedented number of travel consultants are working from home. But, whether the agent is in a formal office environment or working from home, PCI compliance remains an IATA requirement for access to BSP and for the issuing of air tickets. Travel consultants processing information of a sensitive nature remain vulnerable to fraud and liability, irrespective of where the work takes place.
Perry Flint head of corporate communications for IATA USA told Travel News: "It is important to note that Payment Card Industry Data Security (PCI-DSS) standards are technical and operational requirements are set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. IATA does not set these standards, but IATA is responsible to ensure that IATA accredited travel agents are compliant with those standards. Regardless of where the business is being conducted, any agent that processes, transmits or stores credit or debit card data must be PCI Compliant.” He added: “Understanding that compliance with the PCI DSS framework can be a complicated task, IATA developed a PCI DSS Wizard Tool to support the compliance validation process for travel agencies.”
Debbie Joubert owner of Travel 24-7 says that while she understands the requirements for compliance, when it involves a consortium with many agents, it is different for lone agents. “Where many staff members may have access to this information non-compliant activity would need to be traced, but in my case I am the only agent working with my client’s information therefore I would be solely responsible”. Debbie said: “To me, the requirements for solo consultants are unrealistic and expensive. It is difficult to implement Our hands are tied without the PCI-DSS Certificate, and without it I would risk losing my IATA license.”
Stefan van der Merwe, chief financial officer at Sure Holdings believes that many agents working from home are most likely not compliant, taking into account to the impractical and cumbersome PCI-DSS requirements required by IATA. “This is obviously not verified by IATA but could also have implications for IATA-registered agents acting as host companies that offer a ticketing service to smaller agents”.
Pieter Pienaar, information security and data protection officer at Club Travel says that Club Travel is dedicated to compliance areas such as PCI, POPIA and GDPR. “All of these areas require adherence to strict guidelines, policies and compliance audits. We comply with the PCI storage and processing standards to ensure that our PCI certification is always up to date.” Pieter says that ITCs who operate using Club Travel’s IATA licence do not need to be PCI-certified, however they do need to comply with all PCI processes and requirements - for example, the use of a Secure Vault to share card details between parties. “Working from home should not affect this as the processes and online technology should facilitate a secure process regardless of whether the agent is working in the office or at home. ITCs who operate under their own IATA licence are however, responsible for their own PCI certification and processes.”
