DESPITE the travel
industry’s concerns
about meeting the
March 2018 deadline for
Payment Card Industry Data
Security Standards (PCI
DSS) compliance, Iata is
sticking to the deadline.
Concerns were raised by
Asata at the end of August
during a conference call
aimed at getting a PCI
DSS working group up and
running.
Asata ceo, Otto de Vries,
says he is concerned with
the timeframe based on
what still needs to be
done, which includes a
small merchant guide and
a road map to compliance.
He says Iata intends to
deliver a tool that will assist
agents, which will be a good
thing. “But, I repeat, the
timeframe is a risk.”
Iata announced earlier
this year that agencies
operating within the BSP
that did not adhere to PCI
DSS by June 1, stood to
lose their Iata accreditation.
This was then postponed to
March next year.
PCI security standards
are the technical and
operational conditions
to preserve payment
card security. PCI DSS
compliance aims to enhance
payment card security and
applies to agents who
store, process and transmit
payment card data.
Angelique van Wijk,
business development
manager CEMEA at
Foregenix, cautions that
the industry is behind
in reaching compliance.
“Unfortunately, we have
found that the travel agent
industry is generally a
long way from becoming
compliant. This is largely
due to the fact that security
is not ‘baked in’ to their
business and thus requires
significant education to
retrofit cyber security into
their people, processes and
technology.”
Should Iata revoke the Iata
licences of agents who do
not comply with PCI DSS by
March, the ramifications for
the travel industry will be far
reaching. Dinesh Naidoo,
group operations director
of Serendipity Worldwide
Group, says: “I am really
worried about March 1. If
we don’t get this right, the
entire South African market
will be killed because
nobody is compliant.”
Angelique echoes this
sentiment, suggesting
that planning activities
should be started almost
immediately. “If it is left to
the last minute it will be
panic stations close to the
deadline.”
Dinesh says one of the
biggest challenges is the
use of credit card charge
forms (CCCF), which are
required by card issuing
companies. At present,
these forms store credit
card information in
contravention of PCI DSS.
Likewise, Marco
Ciocchetti, ceo of XL Travel,
says he has his doubts the
industry will be ready for the
deadline. He highlights that
many industry practices are
not compliant. However his
biggest concern is the lack
of clear communication on
what the industry needs to
do to comply. That said, he
adds: “We are trying our
best to see what needs to
be done.”
At the time of publication,
Iata had not responded to a
request for comment.
