This story originally ran in the February 22, 2018 issue of Travelweek magazine. To get Travelweek delivered to your agency for free, subscribe here.
TORONTO — The March 1 deadline for travel agencies to become PCI DSS compliant is just around the corner, with many agents and agency owners still unsure of what exactly they need to do.
As mandated by IATA, PCI DSS compliance (which stands for Payment Card Industry Data Security Standard) is a mandatory condition for IATA-accredited travel agents designed to protect confidential payment card information against theft.
PCI DSS compliance has actually been in place for over a decade, however it wasn’t until 2017 that IATA decided to enforce it on IATA-accredited travel agencies. Originally scheduled for June 1, 2017, the mandate was eventually postponed until March 2018 after ACTA, along with its global partners in the World Travel Agents Associations Alliance (WTAAA), lobbied vehemently for an extension.
Said Heather Craig-Peddie, Vice President, Advocacy and Member Relations at ACTA, “It was agreed that for IATA to have made the announcement in Q1 of 2017 and expect that all IATA-appointed agencies would be compliant by June 1, 2017 was an unrealistic expectation. The process for an agency to become PCI DSS compliant can be a very complicated exercise.”
Knowing of the uncertainty surrounding PCI DSS compliance, ACTA has teamed up with Accel PCI, a Canadian owned and operated, web-based company that helps merchants become compliant. It is not a requirement to obtain compliance through a PCI company like Accel PCI; agents can refer to the guidelines on the PCI Security Standards website, pcisecuritystandards.org, on their own. However, doing it through a qualified security accessor like Accel PCI has its advantages.
Here’s what you need to know:
Who needs to be PCI DSS compliant?
If the agency is a merchant, it needs to be compliant. If the agency is not a merchant but is IATA-appointed and accepts credit cards, IATA requires the agency to still be compliant. If the agency is not a merchant but is IATA-appointed and does not accept credit cards, proof of compliance is not requested from IATA. If the agency is not a merchant and is a TIDS-appointed agency, it is not mandated to be compliant, however, a supplier can request that the agency provides evidence of compliance as part of their due diligence in becoming PCI DSS compliant.
What happens if my business is not compliant?
According to Christine Chilton, Director of Education at ACTA, “failure to comply with the requirements as per IATA’s request will result in an Administrative Non-Compliance”, after which agents will be required to remedy the situation within 30 days of receiving a notice from IATA. If it hasn’t been remedied, IATA will immediately restrict the agent’s use of the Customer Card Payment Method until the reason from the Administrative Non-Compliance has been remedied.
Moreover, if your business is not compliant you may be at risk of being charged a fee. Late fees range anywhere from $20 to $15,000/month, said Chilton, while a penalty fee can be as much as $50,000.
How do I become PCI DSS compliant?
If you choose to obtain compliance with help from Accel PCI, as ACTA recommends, go to www.accel-pci.com and register (available in both French and English). After receiving a confirmation email, you’ll need to complete the following steps:
1) Complete a survey that will determine your ‘Level’ of Compliance and SAQ (Self Assessment Questionnaire). Most agencies are either Level 2, 3 or 4 (a Level 1 agency has over 6 million transactions and is most likely a tour operator or airline). Level 2, 3 and 4 agencies must complete an SAQ.
2) Select the appropriate package. Once you determine your SAQ, the next step is to select the applicable package to activate your portal on Accel PCI. Each SAQ level corresponds to a different package; the one that is right for you will be the only one that’s clickable.
3) Review your company’s policies and procedures. This step requires a bit of work but with Accel PCI, you have access to templates that you can follow to make sure your agency has in place the appropriate PCI DSS policies. These evidences are then organized and kept in your portal, and are there for you to refer back to at any time.
4) Conduct employee training. Accel PCI offers e-learning training courses that are sent to your employees via email; upon completion, each employee will receive a certificate of PCI DSS compliance. Alternatively, employees can train in groups, after which they must sign a present sheet as evidence that they’ve been trained. This sheet must then be scanned and uploaded into your portal.
5) Complete your SAQ. Once your training is complete, you must now go into your SAQ and complete it. Depending on the level, an SAQ can include anywhere from 25 to hundreds of questions. A major benefit with working with Accel PCI is that it offers pre-filled SAQs that shave off time and cut through complicated terminology.
6) Submit your completed SAQ. Print out your completed SAQ, sign it, scan it and upload it back into your portal. You’re now ready to submit it by entering the email address of your acquirer (a financial institution that processes credit and debit cards on your behalf).
It’s important to note that submitting your SAQ is the only requirement you need to do to confirm PCI DSS compliance to your acquirer. You do not need to submit any other documents/evidences at this time.
How often do I have to be compliant, and how much does it cost?
ACTA has secured a 20% discount for its members, and a 5% discount for non-members with Accel PCI. Fees are broken down into two steps: a flat fee to determine your SAQ level ($48 for ACTA members; $57 for non-members); and another fee for your corresponding package, which varies according to which SAQ you need to complete. Go to the ACTA member-only section on acta.ca to obtain the promotion code.
There is no fee to complete the SAQ if done on your own, through the PCI DSS website.
PCI DSS compliance (including employee training) must be done on an annual basis. Compliance is good for one year from the date you submit your SAQ.
How long will the whole process take?
Whether you’re level 2, 3 or 4 and whatever classification you fall under, it will take anywhere from 8-12 hours to complete the entire process. This does not have to be done in one sitting, as long as it’s completed before the March 1 deadline.
I’m a home-based agent working for a host agency. Do I need to be compliant?
According to James Bernard, project manager at Accel PCI, if you’re home-based and have a merchant ID and your own payment terminal, you need to be PCI DSS compliant and fill out an SAQ. If, on the other hand, you work under a consortium and are using that agency’s payment systems, then you fall under the compliance of that agency.
Once I become compliant, will I receive a certificate?
Going through the Accel PCI tool, once an agency has completed its SAQ, it will receive notification that their SAQ document has been verified and approved. It is recommended that the agency forward the final SAQ file to themselves to keep on file for when IATA, their acquirer or a supplier requests it.
As per the March 1 IATA deadline and the notice that they circulated, IATA-appointed agencies are “not required to submit any evidences of PCI DSS compliance at this stage and you will be advised by IATA when this evidence is required, including the applicable timeframe and the means of its submission.”
Why should I use Accel PCI?
“ACTA knows full well how painful of a process becoming compliant can be. Before becoming aware of the Accel PCI tool, and even with our growing knowledge with what’s required, we spent a significant amount of time on just determining what SAQ ACTA had to complete,” said Craig-Peddie. “This is the very reason why we knew we had to make things easier for our members.”
Added Bernard: “You can call your acquirer who can help determine your SAQ because ultimately they’re the ones who’ll have the last say on what level your are. But this can be time consuming, especially if you have multiple acquirers. What Accel PCI offers you is a questionnaire that guides you towards your SAQ. The site also has an informative video about filling out an SAQ that simplifies the whole process.”
This story originally ran in the February 22, 2018 issue of Travelweek magazine. To get Travelweek delivered to your agency for free, subscribe here.