BSP (Billing and Settlement Plan) is a worldwide system used to manage finances and cash flow between BSP airlines and IATA accredited passenger sales agents. Due to demands proposed by BSP airlines, the IATA has made their BSP card sales channel PCI DSS compliant. As a result of these changes, IATA accredited travel agents need to become PCI DSS compliant by March, 2018.

IATA accreditation is highly beneficial for travel agents. It gives agents access to 250 IATA airlines members, giving authorization to sell tickets on their behalf. IATA accreditation also gives travel agents unique identifiers, the ability to feature IATA logo and branding, and access to BSP.

If you are already IATA accredited, or you are interested in getting IATA accreditation, there are a few steps you will need to take to achieve PCI DSS compliance:

What is PCI DSS?

PCI DSS is a global security standard that ensures payment card information is kept safe from fraud or theft.  The standard is managed by the Payment Card Industry (PCI) Security Standards Council.  The council was started by major payment card brands MasterCard, American Express, Discover Financial Services, JCB International, and Visa Inc. The PCI Security Standards Council serves merchants, financial institutions, POS vendors, and hardware/software developers that provide payment processing infrastructure.

Why is it important to be PCI DSS compliant?

Security is a major issue for anyone involved with payment card information. In order for customers to trust you, as a travel agent, you must have strict security measures in place. The payment information that a travel agent processes is sensitive and vulnerable to theft.  Due to this, PCI DSS compliance is mandatory.

Becoming PCI DSS compliant is the only way you can assure customers that their cardholder data is completely secure. Without compliance, there are many liabilities a travel agent could face.  In the case of information theft or a security breach, a business will lose credibility which will negatively affect sales.  Customers will lose confidence in the business and turn to competitors. In addition, businesses may face fines and penalties, and even lose the ability to accept payments.  As you can see, PCI DSS compliance is crucial to running a successful business.

How can a travel agent become PCI DSS compliant?

There are a number of steps involved in becoming PCI DSS compliant. The IATA recommends that travel agents either become self-compliant or work with a PCI DSS compliant acquiring bank or PSP. Becoming self-compliant is a complicated, time-consuming and expensive process. In areas where acquiring banks are not PCI DSS compliant, working with a PCI DSS compliant PSP is by far the easiest and most convenient option.

You can become self-compliant by following these steps:

• First, contact your merchant banks, or card payment brands, to find out the exact procedure required for your business to become PCI DSS compliant.
• Assess the cardholder information that you are in possession of, as well as the business processes and IT used to process payments.
• Identify any possible system vulnerabilities, and try to fix them.  
• Ensure you are not storing any cardholder data unless absolutely necessary.
• A Qualified Security Assessor from the PCI Council must then perform an on-site assessment to make sure that your business meets their security standards, and the assessor creates a report. Depending on how many card transactions you handle, the report may involve a PCI DSS attestation of compliance (AOC) completed by the assessor, a PCI DSS self-assessment questionnaire, and/or results of a quarterly vulnerability scan.
• This report should be submitted to the IATA to show that your travel agency complies with the PCI DSS.

However, working with a PCI DSS compliant PSP is much simpler.

The easy & secure way – working with a PCI DSS compliant PSP

If you use a PCI DSS certified PSP such as Direct Pay Online for processing card payments, the PSP is responsible for complying with PCI DSS on your behalf. As long as you are not storing cardholder information on-site, all you have to do is fill out a self-assessment questionnaire to confirm that your business is compliant, and submit it to the IATA. This is far easier than being in contact with various acquiring banks and card payment brands. Furthermore, PSPs like Direct Pay Online provide further benefits – such as being able to accept multiple payment methods, including both local and international credit cards.

PCI DSS compliance is becoming compulsory for IATA accredited travel agents working with BSP airlines. Contact us at Direct Pay Online, today, to meet these requirements with ease and convenience.