11 April 2017

IATA mandate all members must be PCI compliant by March 2018

Airlines have demanded that IATA support their own internal compliance project by making the Billing and Settlement Plan (BSP) card sales channel PCI DSS compliant. BSP served approximately 400 participating airlines with $230.3 billion processed in 2015 alone (http://www.iata.org/services/finance/bsp). Therefore, IATA accredited travel agents are required to become PCI DSS compliant.

IATA are mandating that their members must achieve and maintain PCI DSS compliance as a condition of obtaining and retaining accreditation as an IATA Accredited Agent in all its Accredited locations under the Passenger Sales Agency Rules in Resolution 818g.

What is PCI?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of information security standards which all organisations who store, process or transmit Card Holder Data (CHD). PCI DSS applies to all organisations, regardless of size or number of transactions processed and was set up by the major card schemes including Visa, mastercard, American Express, Discover, and JCB.

PCI DSS has four different merchant levels and various Self-Assessment Questionnaires (SAQ) and the applicable questionnaire depends entirely on the payment channels which your organisation uses. IRM recommends that you seek advice and guidance from an industry recognised expert in order to fully understand the scope of your CHD, applicable SAQ, current gaps and compliance roadmap.

When do I need to do it by?

IATA have mandated that all Travel agents achieve PCI DSS compliance (at their respective levels) by March 2018, the resolution was originally effective from 1st June 2017 however due to the complexity of PCI DSS compliance has been pushed back. This has been a common theme with trade bodies enforcing unrealistic deadlines as there is a need to grasp the level of business change required to achieve compliance. Failure to achieve compliance may result in removal from IATA and require time consuming reapplication, during which Trade with any IATA members will cease.

What do I need to do?

Embarking early on your PCI compliance journey is imperative. IRM’s experience of helping a wide range of organisations achieve compliance, including many in the travel and leisure sector, has shown that this can take a significant amount of effort, business change and time. With complex systems to consider interfacing with systems such as Gallileo and many organisations still using full Primary Account Numbers (pans) in the travel sector, this won’t happen overnight. With the March 2018 deadline looming, starting this process now is highly recommended.

Becoming PCI Compliant

In order to become compliant you must identify the scope of your CHD environment, how you store, process or transmit CHD, identify card data flows, storage areas, physical locations, IT systems,  take inventory of IT assets and business processes for payment card processing and analyse the vulnerabilities that your data is subject to.

IRM has a four stage approach to help organisations become compliant. View the process here

With the knowledge of how CHD flows through your organisation you should eliminate any identified control gaps and remove any unnecessarily stored cardholder data – the less you hold, the less risk there is of data being stolen. IRM adopts a risk reduction method to identify quick wins through de-scoping as much as possible for our clients.