PCI compliance is no easy feat, it can be a challenge to obtain, but results in lasting consumer trust and peace of mind knowing their data is protected. It needs to be approached with a long-term strategy in mind.
In this article, we outline 5 steps you can take to aid in your travel agents PCI compliance.
1. What is PCI compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules outlined by the PCI Security Standards Council (PCI SSC) and it is designed to protect payment card information. There are 12 requirements, set out simply here:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by 'business need to know'
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Each requirement comes with it’s own in depth sub-requirements for implementation, which you can read about in the latest version of the PCI DSS.
2. Assign PCI ownership
As mentioned previously, achieving and maintaining compliance isn’t a trivial process, it requires time, effort and consideration. When considering who exactly should be in charge of PCI compliance, we'd recommend a program owner who has the ability to work across your business at a senior level - with board support.
The vast majority of travel agents are considered level 4 merchants (based on the volume of transactions). The different levels are as follows:
Level 1: Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.
Level 2: Merchants processing one million to six million Visa transactions annually via all channels.
Level 3: Merchants processing 20,000 to one million Visa eCommerce transactions annually.
Level 4: eCommerce merchants only – Merchants processing fewer than 20,000 Visa eCommerce transactions annually. Non eCommerce merchants – Merchants processing up to one million Visa transactions annually.
A level 4 merchant would need to complete a SAQ (Self-Assessment Questionnaire). The purpose of the SAQ is to assist merchants in self-evaluating their compliance with PCI DSS. Completing the assessment requires focus and so should be handled by a single person within the organisation.
3. Engage with a reputable QSA (Qualified Security Assessor)
A QSA is a designation conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of a Qualified Security Assessor Company (QSAC) approved PCI security and auditing firm, and will be performing PCI compliance assessments as they relate to the protection of credit card data.
The term QSA can be implied to identify an individual qualified to perform payment card industry compliance assessments and consulting, or the firm itself. QSA companies are sometimes differentiated from QSA individuals by the initialism 'QSAC'.
Ideally, you will find a QSA company that you can partner with, trust and rely on for support. These are the typical criteria used to choose a QSA partner:
- Experience - does the QSA company have experience in your line of business?
- Is the QSA company listed on the PCI SSC list of QSA companies?
- Customer references - do your due diligence.
- Regional laws and regulations - an understanding of local laws will help you navigate the privacy law and compliance overlaps.
These points will ensure that your compliance journey will be successful and as painless as possible.
4. Only store cardholder data if necessary
If you don't need it, don't store it.
Retaining unencrypted cardholder data is risky and could end up being very expensive if your business falls victim to a breach. Cyber criminals tend to be very focused and skilled - finding unprotected cardholder data is their ideal target because it's easy for criminals to convert into cash.
If you're unsure if you're storing card details, we'd advise using Cardholder Data Discovery software to seek out cardholder data, wherever its stored. Once you know where it is, you can decide if you need it or not.
If you don't need it, securely delete it!
If you do need it, then you need to make sure you're protecting it appropriately.
5. Build an Incident Response Plan
The key to mitigating damage following a breach is, firstly:
- How quickly you can detect the breach (the industry average is around 4 months to detect that a breach has taken place - a long time after the data is stolen).
- How quickly you react to prevent further damage.
Creating and implementing an Incident Response Plan helps an organisation work through the scenarios that could result in their data being exposed. Making sure that the Incident Response Plan actually works is also very important - stress testing it, like a fire alarm is essential in helping your team to understand what to do in the case of a suspected data breach.
If you’re having trouble putting together a plan, you can utilise free online tools such as our own incident response guide.
Dealing with an incident is a challenging, high-pressure situation and having a structured plan in place will bring a degree of order to what otherwise might be a chaotic period of time.
It’s important to understand that every company's incident response plan will be unique. They need to be tailored to the operational requirements of your business to ensure that the plan will work when it is needed.
PCI compliance can be a challenge, but it's a challenge worth dealing with as soon as possible to ensure your business is not put at risk by cyber criminals.
We are currently running a scheme to help travel agencies obtain PCI Compliance. You can read more about the industry specific services we are offering in our blog post, or click here to be taken straight to the sign up page.