Travel agents are being forced to embark on a vital journey — to PCI DSS compliance. But the question is: Do you want a first-class experience or a risky, white-knuckle ride?
As we explained in our recent blog, IATA travel agents need to be compliant with Payment Card Industry Data Security Standards (PCI DSS) in the way they store, process and transmit people's payment card data. The International Air Transport Association (IATA) has set March this year as the deadline — so time is running out fast.
But the journey to PCI DSS compliance isn't obvious: There's a confusing array of suggested routes and seemingly-knowledgeable guides offering to help. So, which is the best approach?
Setting the right course
If we go travelling, there's usually an easy way — or a hard way. We can take a comfortable jet, stay in smart hotels and laze by the pool. Alternatively, we could walk for miles on muddy tracks in tropical rainstorms, sleep in the open and hitch rides on passing carts.
Now the second scenario may seem authentic — and character building — but that's no comfort if the very survival of your business hangs in the balance.
Put simply, the journey to PCI DSS for travel agents can be monumentally tricky if you try to get there under your own steam — even with so-called guides pitching in at various moments. Think about traversing the ice roads of Alaska, the Sichuan-Tibet highway or crocodile-infested swamps — and you get the picture.
Here are five particular hazards that travel agents can encounter if they attempt to achieve PCI DSS compliance for themselves:
Hazard #1: Time, cost and distraction
You’ve probably already locked down processes for handling card payments on the web or via point-of-sale. Now, however it’s time to make sure your payments over the phone are secure, especially when it involves ‘Card-Not-Present’ payments. You must ensure your network and systems are secure, implement strong access controls and maintain a range of policies, tests and monitoring. This can be massively demanding on your resources.
Hazard #2: People perils
PCI DSS is about more than stopping hackers. You can’t assume that the threat of a data breach or fraud is just from outside your organization. Figures show that the majority of fraud happens within the contact center.
Hazard #3: Customers demanding new channels
Your PCI DSS compliance must be flexible enough to allow for growing service level expectations among your customers. There are more instant and convenient channels that include Web Chat payments, Self-Service payments and Apple Pay over the phone.
Hazard #4: Increasing threats
Eckoh’s own research shows that contact centers are using multiple methods to achieve compliance. While this may help them achieve their compliance it doesn’t make it easy for them to maintain it. Multiple systems mean more cost and more time. They also mean that sensitive payment card data remains in your environment – potentially to be misused. For a long time Eckoh has advocated de-scoping of a contact center to avoid the risk.
Hazard #5: Discovering it didn't work
Verizon's 2015 PCI Compliance report found that fewer than one third of companies were still fully compliant less than a year later. Compliance is not a ‘check and
forget’ exercise. You need to embed processes and the right culture into every aspect of your organization to make sure you are PCI DSS compliant every minute of every day. Have you considered outsourcing your contact center to de-scope it entirely from PCI DSS scope?
Taking the easy route
The far easier path to PCI DSS compliance is by finding the right PCI DSS partner who can do it all for you. You simply pass the compliance headache to them, while you focus on your core business.
It's a bit like trusting an experienced travel agency with an important trip — someone who knows every inch of the globe and all the issues that make the difference — rather than 'winging it' and hoping for the best.
In fact, it's even possible to prevent sensitive cardholder data from entering your systems altogether, so even though criminals are becoming more clever, if there's no data in your systems there is nothing to steal.
For deeper insight why not download your free copy of our guide to Rising CNP Crime in Contact Centers or our Definitive Guide to PCI DSS compliance. You'll discover everything you wanted to know about secure payments and how they can work for you.
 Companies investigated by Verizon's forensics team from 2005-2015 following a breach.