Don’t Panic, But 1MAR Is Deadline For PCI-DSS Payment Compliance
Bruce Parkinson, Open Jaw
Effective 1MAR – that’s this Thursday -- all Canadian travel agencies are required to be in compliance with PCI Security Standards around payment cards.
PCI DSS (Payment Card Industry Data Security Standard or PCI DSS) is the security standard that governs the payment card industry. It is used by all major payment card groups including Visa, MasterCard and American Express.
The standard was created back in 2006, as payment and credit card fraud rose to unprecedented levels. Initially, only the largest merchants processing millions of payments annually were affected, but as time has passed, the requirement has been filtering down to smaller companies.
IATA had originally set 1JUN 2017 as the compliance requirement date, but pushed it back to MAR 2018 following lobbying from ACTA. The agent association offers information on the requirements and the process here. More information can also be found on the website for the Security Standards Council.
Open Jaw spoke with payments compliance expert Annie Chouinard, who has nearly 30 years of experience in regulatory compliance, risk management, IT security and quality assurance of software and payment systems.
There were two key points Chouinard wished to emphasize: one, that it’s not the end of the world if agencies haven’t addressed the issue by the 1MAR deadline; and two, that the goal of PCI-DSS compliance is not a cash grab or regulatory burden, but an important move to protect cardholders, merchants and credit card companies from fraudulent transactions.
“The primary goal is to protect cardholder data throughout the payment chain, to secure the payment chain to help diminish fraud,” says Chouinard. “It’s to protect customers and to protect you from fraudsters, because you can be held responsible for not protecting information.”
Agencies can take the steps to ensure compliance on their own, but Chouinard says the process can be cumbersome and time-consuming. “Agencies have to find out what applies to them and write policies and procedures. And all staff members need to be trained.”
For those who prefer to focus on their core business of serving travel clients, Chouinard and others offer consulting services to ease and speed the compliance process. Chouinard is working with Proconform, which promises to “guide you through your efforts to become compliant, including any required yearly updates.”
Proconform offers a basic package “that will accommodate most agencies” for an initial fee of $300, after which the annual costs for management and updates is $250.
For those fees, the company will:
Write and perform annual updates to PCI policies and procedures
Perform the annual definition and revalidation of the scope of PCI
Establish and track quarterly, semi-annual and annual activities of PCI compliance
Provide online training courses for employees, updated annually
Perform annual updates including legal and regulatory changes required by the PCI-DSS standard and others
Carry out the annual preparation of the appropriate Self-Assessment Questionnaire and Attestation of Conformity
For agencies not compliant as of the 1MAR date, Chouinard says the process needs to begin, whether agencies choose to proceed on their own or engage assistance.
“When we are hired, we give customers a letter of engagement that includes the expected compliancy date, so it shows that the company is taking action. My advice is not to panic – you won’t go to jail or be fined for not being ready 1MAR, but there are risks that non-compliant agencies could be held responsible in the event of fraud, and that can be very costly.”
Chouinard says the security standard is important to protect everyone in the purchasing and payment process. “We need something to stop fraud. The reputation of the industry and individual companies can be put at risk. This is something that has to be done.”
Bruce Parkinson Editor-in-Chief
An observer and analyst of the Canadian and international travel industries for over 25 years, Bruce uses the pre-dawn hours to prepare a daily news and information package to keep industry members up to date.