Travel Agencies and the PCI DSS

This past week, the International Air Transport Association (IATA) announced that it will now require accredited travel agencies to comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) in 2018. As the name implies, the requirements within the PCI DSS provide organizations with guidance on how to secure payment card data by implementing strong security policies, technologies, and processes. It applies to all businesses and organizations that accept and process payment cards and is governed by PCI Security Standards Council (PCI SSC).

Travel companies who handle credit card payments have always had to comply with the PCI DSS. However, much like many small merchants, smaller travel companies may not have heard of PCI or been held accountable for PCI compliance due to the small volume of transactions or numerous travel partners leveraged for payments. With the recent breaches the industry has faced and repeated and targeted attacks from global criminal organizations, the IATA has decided to face the problem head on and help facilitate and improve the security of their members.

By March 2018, agencies must be in compliance with the DSS or risk losing their IATA accreditation. The original due date was scheduled for this past June, but was met with some heavy pushback from the industry, citing short notice and limited resources to fully understand and implement the complexities of the DSS. Even still, March isn’t far away, and most travel companies are small and lack a fully-staffed IT department and/or don’t have the budget to launch a full-blown compliance program implemented by a PCI-certified Qualified Security Assessor (QSA).

When Travel Agencies are Breached

Travel and hospitality groups are in a unique position when it comes to security since a breach at one of these organizations can have a fan effect, exposing corporate and personal data from companies around the globe who have booked travel and hotel stays with them. This past summer, Sabre, a third-party reservations provider used by several large hotels and travel agencies, had their central booking system hacked. Hackers gained access to the personal information and payment data of customers who booked travel and hotel stays through Sabre’s reservation system. Affected customers included guests of Four Seasons Hotels and Resorts and Trump Hotels, as well as a number of Google employees, who had been booking corporate travel through a small travel agency that used the compromised system.

Customers choose to share very high-value personal information and payment data with the travel agencies and hospitality groups they trust, and hackers are finding ample opportunities to take advantage of this trust. By complying with a standard like the PCI DSS, companies in this industry are taking strides to protect customer data from malicious attackers through better security practices.   

What Should Travel Agencies Do Next?

Complying with the PCI DSS can seem like a daunting task at first glance, especially for smaller merchants like travel agencies. While compliance is a serious undertaking, the PCI SSC has designed the DSS in a way that is feasible for both large and small businesses. We have a few tips that might help as you start down the path of PCI DSS compliance.

  • The PCI SSC is available to help. They have lots of useful guidance around how to get started, common payment systems, questions to ask your third-parties – all specifically for small merchants. You can check them out here.
  • Take a deep breath and take baby steps. PCI compliance can seem intimidating, but tackling it one step at a time will make it easier. First, just focus on understanding how payment data flows through your company. Start with a few simple questions:
    • How do you collect payment info? Via phone? Through a third-party? Through your own website?
    • Who handles your payment card data?
    • Where does that data go after it’s collected? How is it transmitted?
    • Do you store the data? Where is it stored?

Once you have that data flow mapped out, you can start looking at next steps

  • Check out PCI’s Self-Assessment Questionnaires (SAQs). The PCI SSC has designed a library of questionnaires for a variety of merchant and service provider environments. These questionnaires ask a series of yes-or-no questions that allow organizations to assess the state of their security on their own. They do require an attestation of compliance (AOC) at the end, but it’s a lot simpler than completing a full PCI assessment and a report on compliance (ROC).
  • Scoping properly is key to effectively managing PCI compliance. Making sure the right processes, technologies, and people are in scope from the get-go means your budget and resources are dedicated to the right areas and will save a lot of headaches down the road.
  • Talk to a PCI Qualified Security Assessor (QSA). If you’re a larger travel organization, consulting with a PCI QSA may be the way to go. Scoping for a large business can be a big challenge and assessing compliance will probably take more than an SAQ. PCI has a full list of certified QSAs on their website, or you can talk to one of our QSAs about an assessment.

The amount of personal information and payment card data the travel industry processes is a lucrative target for hackers and cyber criminals, and the collateral damage by one of these breaches can send shockwaves through several industries and countless enterprises. With these risks in mind, it’s an excellent time for the IATA to bring all of its affiliated organizations under one security standard.

For more guidance and tips on scoping your PCI assessment, please read Focal Point's Technical Guide to PCI DSS Scoping. You may also request a free consultation with a Focal Point expert by contacting us here.