PCI Compliance in the Travel Industry (2018)

The Travel industry is considered a high-risk sector

For many online travel agencies, 2018 will be an year of digital revolution as security is becoming a strictly regulated key player. According to Verizon, more than 38% of all major security breaches happen within the travel and hospitality sector, and there has been little to no improvement in this direction during the last years.

However, the time has come for a change. As a high-risk sector with multiple points of vulnerability towards data theft and breaches, the Travel Industry will have to stop relying on self-assessments, and move towards a sustainable and safe solution.

PCI Compliance will be obligatory from 2018

If you are not familiar with PCI-DSS Compliance, it is a set of security regulations and policies designed by the biggest credit card companies to protect cardholder data. According to the guidelines, all entities involved in the processing of payment information are obligated to be PCI Compliant.

However, if many travel agents and other companies did not take these regulations seriously until this point, the times are changing. As of 2018, huge organizations like IATA, the International Air Transport Association, are enforcing the PCI standard on its accredited members as a part of a new, more secure system.

Additionally, the European Parliament will be introducing changes to the European law, making data breaches and theft much more costly. In fact, it is rumoured that penalties will be fixed at a minimum of 2% of the total revenues for a breach, with the possibility for rising up to 5%

IATA is enforcing the PCI standard on all its 278 members

IATA, the International Air Transport Association, which represents 278 airlines in 117 countries or 83% of the total air traffic, is now requiring the PCI Compliance from all its accredited members.

This mandate comes with the introduction of a new electronic billing system for facilitating the flow of data and funds which will replace the current Billing and Settlement Plan (BSP). The BSP was implemented back in 1971, and nowadays it processes more than $219 billion per year.

However, as the current BSP system has become rather outdated with the rise of digital payments, IATA has been working on NewGen ISS, a new system for delivering faster and safer financial settlement services. Before its implementation in March 2018, the association has demanded that all members comply with the security standards PCI-DSS. Failing to do so will result in losing their accreditation as an IATA agent in all certified locations under the Passenger Sales Agency Rules.

Achieving PCI Compliance on time

With the tightening of security regulations for data protection in 2018, travel agents who are not yet complying with PCI-DSS will have a hard time on the horizon.

Thankfully, if you are a travel agent, channel manager, booking engine, or any travel-related entity that processes payment data, you are still on time to obtain PCI-DSS compliance in order to assure the protection of any private cardholder information. Here are the options you have:

• In-house development - this solution involves obtaining the PCI Compliance certification using internal resources with the help of a Qualified Security Assessor (QSA). However, especially for smaller travel agencies who don't have the necessary financial or human resources, it can result rather expensive and time-consuming. In many cases, PCI-DSS can take up to 2 years to achieve, and it demands an ongoing internal resources on a daily basis for its maintenance.

• Third-party integration - involves contracting the services of a third-party that offers cloud-based payment services and an API infrastructure that ensures that no data is stored in an unsafe way. It uses strong security methods such as tokenization, a process that converts credit card numbers into randomly-generated, undecipherable values called tokens. A third-party PCI solution is usually the preferred alternative for many companies, as it´s usually much more economic and less time-consuming. If you are still not meeting the security standards, we recommend this option as it allows you to achieve compliance on time for the new regulations.

Without any doubt, PCI-DSS is not only a key player in implementing best practices for cardholder data protection, but it helps you strengthen your authority and reputation as a brand. After all, gaining your customers' trust is the most important step towards establishing successful long-term relationships