PCI DSS Compliance

Payment Card Industry (PCI) Data Security Standard (DSS) compliance and IATA

Following the announcement by IATA regarding PCI DSS compliance, here are a few things you need to know:

Background:

Effective 1 June 2017, PCI DSS compliance became a mandatory condition to obtain and retain accreditation as an IATA Accredited Agent in all its Accredited locations under the Passenger Sales Agency Rules in Resolution 818g.

Non-compliance with PCI DSS security standards could result in 2 instances of irregularity being recorded against your agency.

As a result of interventions by ASATA and WTAAA, the active implementation of PCI DSS compliance has been pushed out to 01 March 2018.

What is PCI DSS?

A set of technical and operational conditions, for all entities that store, process and transmit payment card data, with the aim to preserve payment card security.

PCI DSS Compliance Procedure

Evidences acceptable PCI DSS Attestation of Compliance (AOC) which must be completed by a Qualified Security Assessor (QSA).
Self-assessment questionnaire signed by an authorized officer.
The results of quarterly vulnerability scans if applicable.

When do I need to submit?

Upon individual request that you will receive from IATA

How do I submit?

Scanned copies as an attachment to your case or email to the case

What do we know today about PCI DSS compliance in South Africa?

If your business accepts card payments, you need to gain compliance. PCI DSS compliance is required of all retailers that store, process, or transmit bankcard data. The program applies to all payment channels, including retailers (brick-and-mortar), mail order/telephone order, and e-commerce, no matter the size of the business.

The PCI groups retailers into 4 levels to determine compliance requirements. Each of the 5 card brands have similar Merchant Level criteria based on transaction volume.

The following guidelines will help you decide which merchant level applies to you and which steps you need to take to ensure PCI DSS compliance:

Merchant level 1

Merchant criteria:

You process 6,000,000+ transactions annually
You have been the victim of a data breach which compromised account data
You have been identified by any card association as merchant level 1

Validation requirements:

Undergo an annual on-site security assessment by a PCI SSC-accredited Qualified Security Assessor (QSA)
Conduct annual penetration testing via an Approved Scan Vendor (ASV)
Complete an attestation of compliance form

Merchant level 2

Merchant criteria:

You process between 1,000,000-6,000,000 transactions annually

Validation requirements:

Undergo an annual Self-Assessment Questionnaire (SAQ) completed by a PCI SSC-accredited Internal Security Assessor (ISA)
Conduct annual penetration testing via an Approved Scan Vendor (ASV)
Complete an attestation of compliance form

Merchant level 3

Merchant criteria:

You process between 20,000 and 1,000,000 ecommerce transactions annually

Validation requirements:

Undergo an annual on-site security assessment by a PCI SSC-accredited QSA
Conduct annual penetration testing via an Approved Scan Vendor (ASV)
Complete an attestation of compliance form

Merchant level 4

Merchant criteria:

You process fewer than 20,000 ecommerce transactions annually
You process fewer than 1,000,000 non-ecommerce transactions annually

Validation requirements:

Undergo an annual on-site security assessment by a PCI SSC-accredited QSA
Conduct annual penetration testing via an Approved Scan Vendor (ASV)
Complete an attestation of compliance form

If your business falls under Level 1, you will need a Qualified Security Assessor (QSA) and an Approved Scan Vendor (AVS) to validate your compliance. A QSA is a company approved by the PCI SSC to conduct on-site assessments, whilst, an AVS is a company approved by the PCI SSC to conduct external vulnerability scanning services

The PCI SSC offers a set of Self-Assessment Questionnaires (SAQs) to assist Merchant Levels 2, 3 and 4 in compliance validation. An SAQ is a validation tool intended to assist retailers who are permitted by the payment brands to self-evaluate their compliance. This means your business may not require a QSA and you can perform a Self-Assessment by filling the appropriate SAQ forms and storing them in your records. In addition, you may be required to engage with an AVS for security scans.

Compliance criteria vary based on the card brand. Read more about specific requirements on each card company’s website: MasterCard, Visa, American Express, Discover and JCB International.

IATA has agreed to preparing a travel industry specific small merchant guide that is scheduled to be available by November 2017.

Choosing the Right SAQ for Your Business

The very first step towards correct completion is to choose the right SAQ in the first place. Because organisations come in all shapes and sizes, one size doesn’t fit all. This is why a range of SAQs has been developed to suit a variety of business types.

This simple guide will help you identify which SAQ is right for you, setting you on the right track…

SAQ A

Who is it for?
“Card not present merchants” including contact centres, ecommerce businesses and mail order companies which outsource cardholder data processing functions to a PCI compliant 3^rd party service provider. This means that these businesses never deal with cardholder data at any point.
Actions required
- Paper copies of cardholder data must be destroyed or protected.
- Details of 3^rd party service providers must be kept.
- Compliance of 3^rd party services must be monitored.

SAQ A-EP

Who is it for?
Ecommerce merchants which partially outsource payment processing to a PCI-compliant 3^rd party service provider. Depending on the merchant’s payment process (for example, if some parts of the payment form are completed on the merchant’s site before the customer is redirected to a 3^rd party payment gateway) this type of SAQ may be applicable.
Actions required
- Any ecommerce merchant formerly using SAQ A should read guidelines to identify whether they should now complete the new SAQ A-EP form instead.

SAQ B

Who is it for?
Merchants processing payments via standalone terminals or imprint-only machines who do not use electronic cardholder data storage.
Actions required
- Completion of SAQ B form, particularly to ensure terminals (which can now connect via BlueTooth, Ethernet and GSM/LTE) are isolated from networks and therefore not putting cardholder data at risk.

SAQ B-IP

Who is it for?
Merchants without electronic cardholder data storage who process payments via standalone PTS-approved point-of-interaction (POI) devices which have IP connections to payment processors. This type of transaction can take place in person or via the phone or post.
Actions required
- Completion of SAQ B-IP form, particularly to ensure POI devices are isolated from other networks.
- Paper merchant receipts must be the only type of cardholder data retained.

SAQ C

Who is it for?
Merchants without electronic cardholder data storage who take payment via an internet connected application. These are usually widely used pieces of software connected to a standalone machine, operated by small, “bricks and mortar” businesses.
Actions required
- Completion of SAQ C form, particularly to ensure the technology used to enter cardholder details is isolated from other networks and is strongly protected.

SAQ P2P E

Who is it for?
Merchants processing card data via PCI SSC-listed, P2PE (Point-to-Point Encryption) payment terminals. This can include physical and remote transactions.
Actions required
- Completion of SAQ P2PE form.
- All data must be entered via a validated P2PE hardware device.

SAQ D

Who is it for?
Service providers and merchants who do not meet the criteria for any of the above questionnaires.
Actions required
- Completion of SAQ D which includes all 200 PCI DSS requirements, marking non-applicable sections with caution.

Payment Association of South Africa and CCCF

Currently the Payments Associations of South Africa (PASA) policy/ruling, requires the need for a card imprint to be kept in case of a dispute and to confirm Card Present Transaction and as such at this stage the CCCF requirement is deemed to be non-compliant. The electronic version of the CCCF issued by GDSs is what IATA has been pushing for as an acceptable form of confirming a credit card transaction – this would be in compliance with PCI DSS requirements. This is currently not deemed acceptable under the PASA policy/ruling.

IATA has reached out to the banks to confirm what the requirements would be and what Qualified Security Assessors (QSA) would be looking for considering the PASA Ruling. At this stage, IATA are unable to confirm what the QSA would sign-off against.

ASATA position and opinion:

In order for a successful process to be implemented, to achieve compliance, you need high-level buy in. Although the principals of PCI DSS is accepted and understood, many businesses are still not clear on the process, thus reducing buy-in.
It was the stated opinion of the PCI DSS council representative that recently presented to the PAPGJC that, based on experience, the travel industry would need 18-24 months to reach industry compliance worldwide (best case scenario).
Market specific challenges (e.g. South African payment regulation requires that merchants use CCCF forms in the absence of card presence, making it non-PCI DSS compliant (SA merchant legislation requires retention of physical imprint of the card). This means all airlines operating in this market are also collecting CCCF’s forms with card imprint, making them non-compliant.
We continue to engage IATA on all levels (Geneva and Johannesburg) to address the concerns and issues around process and timeframes. To this end ASATA has called for an APJC meeting, to discuss the risk and threat posed by enforcing PCI DSS compliance to BSP-ZA.
ASATA has also engaged several QSA’s to discuss possible industry specific solutions. All however will carry costs to the agents.
With the so-called travel industry specific small merchant guide proposed by IATA, in collaboration with WTAAA and the PCI DSS Council, to be released in November, there is a possibility that those who qualify for self-assessment will be better equipped to do so (subject to the guide seeing the light of day).
We remain of the opinion that the March 2018 deadline is not achievable and will raise this matter on the agenda of the next PAPGJC meeting, to be held 14/15 September 2017.
If the current programme for compliance is pursued, especially in the time-frame set out, most small to medium size agents (probably 90-95% of accredited agents worldwide) will be forced to withdraw from the programme or will be excluded from processing credit card payments, with high levels of cash risk that comes with that. An increase in cash sales will drive bank guarantees up, further risking the agency programme.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
90218deb572a2b04751fc742ff2b5b54	7 days	No description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

Payment Card Industry (PCI) Data Security Standard (DSS) compliance and IATA

What is PCI DSS?

What do we know today about PCI DSS compliance in South Africa?

Payment Association of South Africa and CCCF

ASATA position and opinion:

AASA | ABTA | ANTOR | BARSA | FEDHASA | SATSA | SAVRALA | TBCSA | WTAAA | Other Useful Links | SA Coronavirus

AASA | ABTA | ANTOR | BARSA | FEDHASA | SATSA | SAVRALA | TBCSA | WTAAA | Other Useful Links
| SA Coronavirus