compliance

PCI DSS compliance – Don’t fear it, but don’t ignore it!

We don’t need to tell you that the risk of fraud associated with payment card transactions and potential data breaches has been rife over the past few years.

To ensure safer transactions, IATA is expecting Accredited Travel Agents operating within the BSP to be compliant with the Payment Card Industry (PCI) and the Data Security Standard (DSS).

Effective 1 June 2017, PCI DSS compliance will even be a mandatory condition to obtain and retain accreditation as an IATA Accredited Agent under the Passenger Sales Agency Rules in Resolution 818g. 

Important to note that this requirement has not emerged out of the blue. For many years, ASATA has been including a notification on this in its membership renewal documentation

In the interim, ASATA is working with the WTAAA and IATA to ascertain exactly what IATA’s requirements are with regards to PCI DSS and will make every effort to assist our members in their efforts to be compliant. 

WHAT IS PCI DSS 

Credit card companies have compiled the PCI Data Security Standard to enhance payment card security. All entities that store, process and transmit payment card data are required to adhere to PCI security standards, which are the technical and operational conditions to preserve payment card security.

WHAT TRAVEL AGENTS SHOULD KNOW

We understand that the PCI DSS compliance process may in some cases be complex. Depending on the nature and the size of your business, the process can vary. 

Our advice would be as an initial step: 

Approach your financial institution if you are a merchant and process transactions through your local Point of Sale (POS).

If you are not a merchant and only process credit card transactions through the GDS (the airline’s merchant), we suggest that you contact every credit card brand that you are working with individually, in order to find out the compliance process applicable to your agency.

For more information to help you understand the importance of PCI DSS compliance for your business and guide you through the first steps that you will need to take, please visit the dedicated PCI DSS website: www.iata.org/pci-dss

visa europe

Don’t neglect visa advice!

Did you know that half of South African travellers say the reason they choose to book their holidays through a travel agent is because they want expert advice on visa requirements? This is according to the recently conducted ASATA leisure traveller survey, which was published in The 21st Century Travel Agent.

And who can blame them? Visa requirements are confusing even for the most professionally trained travel consultant.

In the past few months, we’ve seen New Zealand announcing that South Africans would once again need visas. Russia has hinted in the media that visa-free travel might soon be on the cards, leaving travellers wondering if they actually still need to apply for a visa to travel to St Petersburg or Moscow.

Also South African’s own local requirements still have travellers baffled and confused. Do they still need an Unabridged Birth Certificate when travelling with children, or has this been abolished?

They feel they can’t trust the media for accurate information, as so many ‘fake visa’ stories have been doing the rounds. The most recent being a fake news article promising South African travellers that they will be able to travel to the United States without visas.

As trusted travel advisors, it is crucial that ASATA travel agents showcase their value to the consumer on important matters such as visas, helping their clients with accurate and up-to-date information.

“We must look at all the services that a traveller is going to need and deliver an end-to-end solution, including ancillary services such as visa services. Act as a professional business and not bring everything down to cost,” HRG Rennies Travel MD Bronwyn Phillips said in The 21st Century Travel Agent.

Informing travellers that visas may be required is stipulated in the ASATA code of conduct where it is reasonably practical to do so. Although the responsibility of obtaining visas ultimately lies with the client, ASATA travel agents can assist clients by providing them with relevant visa information as well as time frames clients need to keep in mind to obtain their visas in time for travel.

Advise your clients: South Africans still need visas for the US!

South African passport holders still require a visa for travel to the United States, the US Consulate in Johannesburg has confirmed.

A hoax news article, which is spreading rapidly on social media, states that President Donald Trump has wavered visa requirements for South Africans travelling to the US to ‘strengthen ties between the US and South Africa’.

“This is a fake report: nothing has changed in terms of visa requirements for South Africans travelling to the United States,” a spokesperson for the US Consulate told ASATA.

The fake news website where the article was originally published ‘www.USA-Television.com’ also states that Mauritius was shamed as the most unfriendly country in the world by the World Tourism Organisation and that Ethiopia has banned all marriages until 2018. Needless to say, neither of these articles is true.

Numerous ‘fake’ news articles have circulated over the past few months. The South African National Editors’ Forum (Sanef) last year even issued an alert to readers to beware “an alarming trend by fake news websites to publish inaccurate information under the guise of news”.

Travel agents are advised to consult TIMATIC if they have any doubts with regards to the truthfulness of visa reports. TIMATIC will assist travel agents will the latest up-to-date passport and visa information.

There are also certain telltale signs that news reports are fake. Head of policy at Media Monitoring Africa Thandi Smith was recently quoted in Huffington Post South Africa as saying there are 5 signs that people should be on the look-out for.

1) Check the URL and make sure it is in line with the news page or media house. A fake news site can sometimes have a number in it instead of letters to create confusion.

2) Check the spelling of the account name. Although it might look legitimate, the accounts are often not spelled correctly, or have alternative spellings.

3) A genuine article will usually have sources and people that you can research. Google the names. A fake news site will have anonymous sources.

4) Reputable media houses will have credible adverts on their pages. Fake news sites often have pornographic adverts. That should raise red flags.

5) Research the author of the article you’re reading. Use Google to see other works produced by the journalist named. That will give you an indication of the authenticity of the story.

Credit Card

Travel agents beware: be vigilant with payment transactions!

Travel agents should remember to always be vigilant with credit card transactions as fraud continues to be rife in the travel industry.

Here are some reminders of the most important Credit Card must-dos:

  1. Never process payments on a credit card without having the card/s present at the time of the transaction
  2. Check signature against original card/s
  3. Obtain required authorisation
  4. Take an imprint of the card – A FAX COPY IS NOT AN IMPRINT
  5. Ensure validity of expiry date and check that security features appear on the card
  6. Please be warned: Any invalid expiry dates entered for approval through one of the Global Reservations Systems that results in a fraudulent transaction, will be charged back to the agency
  7. A great way to check whether the card is valid is to check the issuing bank of the card on https://www.bindb.com/bin-database.html

And remember, authorisation alone is not enough

Although travel agents should always obtain an authorisation code for a credit card transaction, this code only indicates that the cardholder is in good standing with the bank (and is usually supplied automatically) but is no guarantee of payment.

It simply verifies that there are sufficient funds in the account. It can’t confirm the identity of the cardholder, or guarantee that the card and/or transaction are genuine

Having said that, travel agents should always get an imprint of the credit card as well as obtain an authorisation number. Failing to do so will result in charge backs and the travel agent will then be liable to settle the loss due to fraudulent transactions.

If in doubt, run a Mod 10 check!

The Mod 10 algorithm was designed to validate a variety of identification numbers, and can be used to verify credit card numbers before submitting transactions for authorization.

The Mod 10 algorithm detects all single-digit errors, as well as almost all transpositions of adjacent digits.

To implement the algorithm in your fraud prevention system:

  • Contact your processor and ask for the Mod 10 algorithm that lets you check the validity of a card number.
  • Use the Mod 10 algorithm to check all e-commerce transactions before submitting them for authorisation.
  • Immediately notify your customer if the card fails to pass the Mod 10 check. Display the following message on the customer’s screen “The card number you entered is invalid. Please try again.” or a similar message.
  • Do not submit the transaction for authorisation until the card number passes the Mod 10 check.

Using the Mod 10 algorithm for checking the validity of your customers’ card numbers will help protect your business against fraud or an error on the part of the cardholder and minimise related disputes and losses.