1. What is PCI compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules outlined by the PCI Security Standards Council (PCI SSC) and it is designed to protect payment card information. There are 12 requirements, set out simply here:
Each requirement comes with it’s own in depth sub-requirements for implementation, which you can read about in the latest version of the PCI DSS.
2. Assign PCI ownership
As mentioned previously, achieving and maintaining compliance isn’t a trivial process, it requires time, effort and consideration. When considering who exactly should be in charge of PCI compliance, we'd recommend a program owner who has the ability to work across your business at a senior level - with board support.
The vast majority of travel agents are considered level 4 merchants (based on the volume of transactions). The different levels are as follows:
Level 1: Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.
Level 2: Merchants processing one million to six million Visa transactions annually via all channels.
Level 3: Merchants processing 20,000 to one million Visa eCommerce transactions annually.
Level 4: eCommerce merchants only – Merchants processing fewer than 20,000 Visa eCommerce transactions annually. Non eCommerce merchants – Merchants processing up to one million Visa transactions annually.
A level 4 merchant would need to complete a SAQ (Self-Assessment Questionnaire). The purpose of the SAQ is to assist merchants in self-evaluating their compliance with PCI DSS. Completing the assessment requires focus and so should be handled by a single person within the organisation.
A QSA is a designation conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of a Qualified Security Assessor Company (QSAC) approved PCI security and auditing firm, and will be performing PCI compliance assessments as they relate to the protection of credit card data.
The term QSA can be implied to identify an individual qualified to perform payment card industry compliance assessments and consulting, or the firm itself. QSA companies are sometimes differentiated from QSA individuals by the initialism 'QSAC'.
Ideally, you will find a QSA company that you can partner with, trust and rely on for support. These are the typical criteria used to choose a QSA partner:
These points will ensure that your compliance journey will be successful and as painless as possible.
4. Only store cardholder data if necessary
If you don't need it, don't store it.
Retaining unencrypted cardholder data is risky and could end up being very expensive if your business falls victim to a breach. Cyber criminals tend to be very focused and skilled - finding unprotected cardholder data is their ideal target because it's easy for criminals to convert into cash.
If you're unsure if you're storing card details, we'd advise using Cardholder Data Discovery software to seek out cardholder data, wherever its stored. Once you know where it is, you can decide if you need it or not.
If you don't need it, securely delete it!
If you do need it, then you need to make sure you're protecting it appropriately.
5. Build an Incident Response Plan
The key to mitigating damage following a breach is, firstly:
Creating and implementing an Incident Response Plan helps an organisation work through the scenarios that could result in their data being exposed. Making sure that the Incident Response Plan actually works is also very important - stress testing it, like a fire alarm is essential in helping your team to understand what to do in the case of a suspected data breach.
If you’re having trouble putting together a plan, you can utilise free online tools such as our own incident response guide.
Dealing with an incident is a challenging, high-pressure situation and having a structured plan in place will bring a degree of order to what otherwise might be a chaotic period of time.
It’s important to understand that every company's incident response plan will be unique. They need to be tailored to the operational requirements of your business to ensure that the plan will work when it is needed.
PCI compliance can be a challenge, but it's a challenge worth dealing with as soon as possible to ensure your business is not put at risk by cyber criminals.
We are currently running a scheme to help travel agencies obtain PCI Compliance. You can read more about the industry specific services we are offering in our blog post, or click here to be taken straight to the sign up page.