Why travel agents are rushing to become PCI compliant
We've been participating in some travel-oriented events lately, and we were surprised at how many visitors lined up to speak to us about how to become PCI compliant.
Actually, we weren’t so surprised, as much as gratified to find that interest has grown so rapidly. Because in the past, we’ve seen a certain, worrying complacency when it comes to the safety of customers' payment cards and personal information. We’d been used to hearing: it won't happen to us.
You may think that the push may be coming from the recent Association of British Travel Agents’ data breach, derived from a vulnerability in their third-party web developer/hosts’ web server.
But we have our own take on why this is happening, and where it’s coming from: The International Air Transport Association (IATA). According to Association of South African Travel Agents CEO Otto de Vries, IATA has sent out a communication, stating that if current or potential agents want to IATA accredited, they must become PCI compliant by June 1, 2017.
This requirement may very well be due to the deadline for PCI DSS Level 3.2 compliance; those who already comply with PCI DSS Level 3.2 will be considered to be adopting best practices, but only until January 31, 2018. Starting the very next day, the new standard will become effective as a requirement.
Those who want to comply must, of course, run through the self-assessment questionnaires, get Attestation of Compliance (AOC) forms and a Report on Compliance (ROC).
In our next post, we'll talk about PCI compliance and how some organizations may try to do it themselves -- with challenging results.