We've been participating in some travel-oriented events lately, and we were surprised at how many visitors lined up to speak to us about how to become PCI compliant.
We suppose that some organizations handle so much payment card information daily, that they may lose sight of the risks involved. Certainly those in hospitality, with publicized breaches appearing in the media, don't fall in that category: they're well aware that they need to be PCI compliant, or face some heavy penalties and a damaged reputation.
Until very recently only larger technology companies in the travel industry supply channel have been required to have their systems validated by acquirers in accordance with PCI DSS guidelines. With Visa's recent announcement, from January 2017 even small OTAs, Channel Managers and Booking Engines will be affected. This means if a company does not have an accredited solution in place then they should start planning one immediately.
Channel Managers play an important intermediary role in the supply chain. They continuously receive payment card data from multiple Online Travel Agencies through an automated process using push and pull methodologies.
Hotels, payment providers, commercial sales operations and call centres that receive credit card data via fax can immediately be removed from PCI scope by the implementation of the Interfax PCI inbound fax service. Available online, the service can be setup in just a few minutes.
In an interview with the Information Security Media Group on Monday (December 1st), Nathalie Reinelt warned that merchants and other payment processors will still have significant security risks to contend with following the adoption of the EMV (Europay, MasterCard and Visa) standard, which the federal government has committed to speed up over the next few months.
Despite their nature as top targets for hackers, the hospitality and healthcare sectors are among the world's most laggardly when it comes to cyber security awareness.