The latest thinking from Eckoh

Travel agents: How to book your PCI DSS journey the easy way
Monday, 22 January 2018

Travel agents are being forced to embark on a vital journey — to PCI DSS compliance. But the question is: Do you want a first-class experience or a risky, white-knuckle ride?

Travel agents easy journey 900

As we explained in our recent blog, IATA travel agents need to be compliant with Payment Card Industry Data Security Standards (PCI DSS) in the way they store, process and transmit people's payment card data. The International Air Transport Association (IATA) has set March this year as the deadline — so time is running out fast.

But the journey to PCI DSS compliance isn't obvious: There's a confusing array of suggested routes and seemingly-knowledgeable guides offering to help. So, which is the best approach?

Setting the right course

If we go travelling, there's usually an easy way — or a hard way. We can take a comfortable jet, stay in smart hotels and laze by the pool. Alternatively, we could walk for miles on muddy tracks in tropical rainstorms, sleep in the open and hitch rides on passing carts.

Now the second scenario may seem authentic — and character building — but that's no comfort if the very survival of your business hangs in the balance.

Put simply, the journey to PCI DSS for travel agents can be monumentally tricky if you try to get there under your own steam — even with so-called guides pitching in at various moments. Think about traversing the ice roads of Alaska, the Sichuan-Tibet highway or crocodile-infested swamps — and you get the picture.

Here are five particular hazards that travel agents can encounter if they attempt to achieve PCI DSS compliance for themselves:

Hazard #1: Time, cost and distraction

You’ve probably already locked down processes for handling card payments on the web or via point-of-sale. Now, however it’s time to make sure your payments over the phone are secure, especially when it involves ‘Card-Not-Present’ payments. You must ensure your network and systems are secure, implement strong access controls and maintain a range of policies, tests and monitoring. This can be massively demanding on your resources.

Hazard #2: People perils

PCI DSS is about more than stopping hackers. You can’t assume that the threat of a data breach or fraud is just from outside your organization. Figures show that the majority of fraud happens within the contact center.

Hazard #3: Customers demanding new channels

Your PCI DSS compliance must be flexible enough to allow for growing service level expectations among your customers. There are more instant and convenient channels that include Web Chat payments, Self-Service payments and Apple Pay over the phone.

Hazard #4: Increasing threats

Eckoh’s own research shows that contact centers are using multiple methods to achieve compliance. While this may help them achieve their compliance it doesn’t make it easy for them to maintain it. Multiple systems mean more cost and more time. They also mean that sensitive payment card data remains in your environment – potentially to be misused. For a long time Eckoh has advocated de-scoping of a contact center to avoid the risk.

Hazard #5: Discovering it didn't work

Verizon's 2015 PCI Compliance report found that fewer than one third of companies were still fully compliant less than a year later[1]. Compliance is not a ‘check and
forget’ exercise. You need to embed processes and the right culture into every aspect of your organization to make sure you are PCI DSS compliant every minute of every day. Have you considered outsourcing your contact center to de-scope it entirely from PCI DSS scope?

Taking the easy route

The far easier path to PCI DSS compliance is by finding the right PCI DSS partner who can do it all for you. You simply pass the compliance headache to them, while you focus on your core business.

It's a bit like trusting an experienced travel agency with an important trip — someone who knows every inch of the globe and all the issues that make the difference — rather than 'winging it' and hoping for the best.

In fact, it's even possible to prevent sensitive cardholder data from entering your systems altogether, so even though criminals are becoming more clever, if there's no data in your systems there is nothing to steal.

For deeper insight why not download your free copy of our guide to Rising CNP Crime in Contact Centers or our Definitive Guide to PCI DSS compliance. You'll discover everything you wanted to know about secure payments and how they can work for you.

If you'd like to know more about secure payment or customer engagement then give us a call on 866 258 9297 or drop us an email at This email address is being protected from spambots. You need JavaScript enabled to view it.

[1] Companies investigated by Verizon's forensics team from 2005-2015 following a breach.

About the Author

Claire Lynam

Claire Lynam

Marketing Manager Claire is a senior marketing, communications and PR professional with proven success in making the complex simple. Claire has transformed external, corporate and internal communications, content, PR, media relations, design, digital, brand awareness and marketing for professional services, IT and other B2B sectors.

Connect with us on LinkedIn

Tweets by @Eckoh

Eckoh (@Eckoh)

Eckoh (@Eckoh)

Ineffective solutions could be wasting your time and money. What are these ineffective solutions and what can you do to fully de-scope your contact centre. Read the latest blog and find out how to prevent the risk of fraud and the impact of data breaches.…
Eckoh (@Eckoh)

Eckoh (@Eckoh)

In the fourth part of our 'Contact centre of the future' series, Ashley Burton, Head of Product at Eckoh, reveals how customers will make purchases via the Contact Centre in our latest blog. Click the link and find out more..… #payments
Eckoh (@Eckoh)

Eckoh (@Eckoh)

In the third part of our 'Contact centre of the future' series, Ashley Burton, Head of Product at Eckoh, reveals what you need to know about the Contact Centre Managers of the future in our latest blog. Click the link and find out more..… #contactcentre