All travel agencies are required to be PCI (Payment Card Industry) compliant, yet most believe that because they do not charge the credit cards themselves, they are exempt. They are not. Let’s talk about what PCI compliance is, and why all agencies are required to be compliant even when they don’t charge credit cards themselves, and some steps you can take to ensure your agency is PCI compliant.
What is PCI compliance?
“The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. PCI applies to all organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. ” As travel agents accepting, storing and transmitting credit card information to suppliers, we too are required to be compliant. Suppliers reinforce this through their travel agent guidelines/contracts. One example from the Celebrity / Royal Caribbean / Azamara Travel Agent Guidelines: “Travel Agency must adhere to the applicable credit card company’s procedures for credit card transactions.…”
The Consequences of Not Being PCI Compliant
If a supplier believes an agency is not PCI compliant, the agency can lose the ability to process credit card payments with that supplier. Not being able to pay with client credit cards can be a serious roadblock for agencies, and an inconvenience for clients.
If you have a merchant account and are found to be out of compliance, you can be fined $5,000 to $10,000 a month.
How You Can be PCI Compliant
- First step: you cannot store the CCV security code from the back of a client’s credit card. If a supplier requires the CCV code, you need to get it from the client every time you have their card charged. Note, the client does not have the authority to grant you permission to store their CCV code either. They are not the owner of the card, the credit card company is, and they explicitly forbid storage of the CCV code.
- Second step: make sure you securely store any client information, including their credit card number and expiration date. If you use a CRM like CllientEase or ClientBase, ensure that you have a strong password. If your CRM database is stored on your computer hard drive (i.e. with ClientBase Windows), encrypt it (TrueCrypt is a great encryption software that is free of charge). If you have an IT resource, talk to them about installing a firewall on your network, installing anti-virus and anti-malware protection, and any other steps that you can take to secure your client data even further.
- Third step: if you keep paper copies of client information, keep them stored in a locked filing cabinet or desk drawer. When you no longer need their credit card information, cross shred it.
Note, home based businesses “are arguably the most vulnerable simply because they are usually not well protected,” according to the PCI Compliance Guide. Having strong passwords, encryption, a firewall, anti-virus and anti-malware protection are all inexpensive steps that you can take to protect your business and your clients’ sensitive data.
Susan Schaefer is the owner of Ships ‘N’ Trips Travel located in Tennessee, and specializes in leisure travel with a focus on group travel and charity fundraisers. Through their division Kick Butt Vacations she focuses on travel for 18 to 23 year olds. Susan can be reached by email at susan@shipsntripstravel.com or by phone at (888) 221-1209).