01 March was D-Day for travel agents to become PCI-DSS compliant.
IATA has warned that failure by the Agent to provide IATA with the necessary evidence of PCI-DSS compliance will trigger the following non-compliance actions:
If your Travel Agent is currently located in a country governed by Resolution 818g, failure to comply with these requirements per IATA’s request will result in a Notice of Non-compliance being issued against the Agent and member Airlines will be notified. This notice will be in force until the country of the agent’s operation is migrated to New Gen ISS under Resolution 812 and will specify that Credit Card form of payment will be restricted for this Travel Agent unless the evidence is provided prior to the specified date. It should be noted that this action will not lead to suspension.
If your Travel Agent is located at a country governed by Resolution 812, failure to comply with these requirements per IATA’s request will result in an Administrative Non-Compliance and required the Agent to remedy the situation within 30 days of the notice. In case the Agent, has not demonstrated to IATA ́s satisfaction that the reason for the Administrative Non-Compliance has been remedied, IATA will:
- immediately restrict the Agent’s use of the Customer Card Payment Method; and
- such restriction will remain in place until the Agent has demonstrated to IATA’s satisfaction that the reason for the Administrative Non- Compliance has been remedied and the Agent is compliant with all applicable requirements for authorization to use the Customer Card Payment Method.
IATA has advised that PCI DSS Wizard Tool is now live
The TrustKeeper PCI Manager account is ready for use for those Travel Agents whose merchant level are one of the three defined below.
Level 2 – Any merchant — regardless of acceptance channel — processing between 1 million to 6 million total transactions annually (or 1 million to 6 million total BSP transactions)
Level 3 – Any merchant processing 20,000 to 1 million e-commerce card BSP transactions per year
Level 4 – Any merchant processing fewer than 20,000 e-commerce card BSP transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M card transactions per year
*Detailed merchant level definitions can be found at Visa and MasterCard.
If an Agency does not process credit card transactions, the Agency must submit through the IATA Customer Services portal.
It should be noted that upon completion of such declaration no further proof of compliance will be requested from your Agency, however Credit Card form of payment will be disabled for your Agency upon migration of your country of operation under NewGen environment and resolution 812.
You can register your TrustKeeper PCI Manager account by following the below link:
TrustKeeper PCI Manager will walk you through the steps that are right for your business type, making it easy for you to understand what needs to be addressed, how to find the solution, and easily check-off the task once it is complete.
The key features of TrustKeeper PCI Manager include:
- Recognised by the PCI Security Standards Council (PCI SSC)
Trustwave is recognised by the PCI Security Standards Council (PCI SSC) as a Qualified Security Assessor Company.
- Trusted Commerce Seal and Certification
After you have completed the streamlined compliance process, PCI Manager will facilitate reporting your compliance status back to IATA automatically on your behalf. You can view and download milestone progress reports, download a Certificate of Compliance as well as the PCI Attestation of Compliance. You can display the Trusted Commerce® seal on your website to showcase your compliance to visitors.
- Web Based Portal
The compliance process can be challenging. TrustKeeper PCI Manager is a secure, intuitive and easy to understand web-based portal designed to walk you through the compliance process step-by-step.
The portal is available in the following languages: English, Danske, Deutsch, English (UK), Español, Suomi, Français, Français (Canada), Íslenska, 日本語, Nederlands, Norsk, Polski, Português, Svenska, 简体 中文, 繁體中文
After you have created your username and password, we recommend bookmarking the URL: https://login.trustwave.com
- Hassle free
TrustKeeper PCI Manager takes the SAQ completion process complexity away from you by providing simple questions that guide you into completion of the correct SAQ type applicable to your business.
- Online Security Awareness training
TrustKeeper PCI Manager provides you with basic courses about PCI DSS so you will feel confident with the matter.
Trustwave’s team of seasoned compliance support analysts is available 24 hours, 7 days a week, 365 days of the year. For assistance, contact Trustwave by email at firstname.lastname@example.org or by calling the following number in South Africa: 800 981 295.
- Express Renewal
PCI DSS validation is required annually. All Travel Agents, must warranty continued compliance with PCI DSS, therefore an express renewal feature will help you to easily comply with this requirement, if no significant changes have occurred since the previous assessment.
As already pointed out, the utilisation of the tool to obtain PCI certification is not free of charge, service descriptions along with pricing can be found on the IATA PCI DSS Certification Program page. Also, this tool is just an alternative way for your Agency to obtain PCI DSS certification. IATA will accept the evidence of compliance as long as it is properly certified by the eligible partner of PCI Security Standards Council, depending on the level of compliance that your Agency falls into.
Last but not least, IATA would like to remind you that there is a dedicated PCI DSS webpage to help you understand the importance of this requirement for your business, guide you through the first steps that you will need to take and indicate the evidences that will be accepted by IATA to indicate compliance:
For support in regard to any enquiry, please contact IATA via the Customer Portal. These queries will be handled with the highest priority.