Members are being urged to review the way they collect, store and protect their customers’ data as Australian businesses face a wave of new regulations designed to protect consumers’ privacy and security.
IATA agents will be some of the first to tackle the new regulations with the Association now requiring travel retailers to adhere to the Payment Card Industry Data Security Standard (PCI DSS) – an information security standard for businesses that handle branded credit cards from the major card schemes.
The PCI DSS requires any company that accepts card payments, and stores, processes and transmits cardholder data, to host the information securely with a PCI compliant hosting provider. By mid-July IATA agents must upload an Attestation of Compliance Certificate to the IATA portal.
General Manager - Finance & Administration Justin Michael advises members to investigate the issue as soon as possible. “The process of obtaining a certificate can be time consuming, with IATA agents required to pay up to US$250 for an authorised assessor to review your data security and storage systems,” says Justin.
“It is not a quick process because the assessor will look to verify your systems, check your firewalls and review how you log security breaches. In essence it checks that you are doing what you say you are doing.”
He recommends that all members, even those not IATA-accredited, consider such a review. “It’s important that every member of our network ensures they are compliant and that their security systems are up to date. Although not yet compulsory for every business, a PCI DSS review can highlight any gaps because it takes data protection to a whole new level.”
One issue in which businesses with sales of more than $3 million per annum will need to address is their strategy for handling data breaches. Under Australia’s Notifiable Data Breaches (NDB) scheme, companies have notification obligations when a data breach is likely to result in serious harm to customers whose personal information is compromised.
Justin says the corporate office is currently finalising its own data breach response plan and once finalised it will be shared with members. “The key message here is that every member needs to ensure they have the proper systems in place around customer data,” he says, “especially when it comes to security software and the way you respond to any security breach.”