As Iata demands compliance with payments standards and with new EU data rules due to come in, there are affordable ways for small agents to protect themselves, says Geoff Milton of ShieldQ
Members of the International Air Transport Association (Iata) are still up in arms – and admittedly perplexed by the organisation’s early 2017 ruling that in order to maintain membership as accredited agents, they must comply with the Payment Card Industry Data Security Standard (PCI DSS).
Originally, the due date was June. The industry, taken aback at the short notice, were at a loss: they had neither the time or the resources to become compliant so quickly.
Of course, such a process takes a long time. Iata relented, pushing the deadline to March 2018.
It may offer some breathing space, but still confuses many as Iata hasn’t yet fully defined what they themselves mean by compliance.
Typically, business travel companies can complete a self-assessment questionnaire, but according to Iata’s website, an Attestation of Compliance (AOC) completed by a Qualified Security Assessor (QSA) is preferred.
Unfortunately, the cost of a QSA can reach tens of thousands of pounds; something that most smaller companies simply cannot afford.
Many small business travel companies fear they won’t ever be able to achieve PCI compliance. They operate on much tighter margins and can’t afford expensive consultants.
They also typically don’t keep IT people on permanent staff, which is difficult as PCI DSS requires maintaining a secure network, update anti-virus software and regularly test security systems, to name a few.
However, such organisations, who generally receive communications by telephone, text file downloads, fax and email, likely do not accept, process, store or transmit sensitive data securely.
To do so would require heavy investment, and a long process toward compliance.
There is a real fear that Iata’s ruling could spur a flurry of market consolidation with many smaller agents, unable to cope with PCI DSS requirements, being absorbed into larger corporations.
Before taking such dire measures, however, smaller travel companies can look at new, affordable and easily implemented approaches to achieve compliance.
Outsource to enforce your PCI compliance
PCI DSS compliance needn’t be expensive and time-consuming. Outsourced tokenisation solutions can significantly speed up the entire process at a fraction of the cost of hiring experts and regularly maintaining the network.
They can also ensure a travel company is 100% PCI DSS-compliant and provide the proof of accreditation that Iata requires.
Cloud-based, PCI DSS-compliant document management and storage services would also be the way to go: no IT staff required, no software to install.
Such solutions let users securely receive, store and transmit documents containing sensitive data, including passports and images of payment card details.
Any and all material containing payment card or personally identifiable information (PII) – whether sent via email or fax – is received and processed before being stored within a secure, PCI DSS-compliant environment.
Think how much easier it is to store sensitive information in such an environment, instead of in a paper folder which is unsecured and prone to loss or misplacement.
Similarly, if sensitive documents need to be sent to another location such as hotel, it can be done using a PCI DSS-compliant fax service.
For too long, there’s been complacency, perhaps even a misguided belief, that a data breach won’t happen.
But it only takes one incident for an organisation’s reputation to be damaged, not to mention the considerable financial loss in terms of fines and lost revenue.
Similarly, in light of the impending EU General Data Protection Regulation (GDPR), organisations worldwide will need to be extremely vigilant with EU citizen’s PII and cardholder data; any such information must be well protected against any data breach.
Rather than deny that there’s a problem that needs to be solved, Iata members – and of course, anyone dealing with payment card and PII – need to take action. After all, it’s only your business that’s on the line.