MLM and Credit Cards

An interesting topic has come up regarding merchants to be PCI Compliant. Apparently ARC is modifying it's agreement in a few weeks. I wonder how this all will factor in when there are so many MLM agents each needing to comply. I would imagine that having hundreds of thousands of agents involved in this has to be an issue in terms of security, identity theft, etc.

From the website Airline Training Council
http://www.airlinetraining.org/en/sempciwebinar.shtml

As credit card forms of payment for travel service purchases continue to grow, despite various efforts by certain travel suppliers to encourage alternative payment systems, credit card companies are continuing their efforts to assure that travel retailer merchants, travel service providers, and travel suppliers themselves adopt the credit card data protection standards mandated by the Payment Card Industry (PCI) Security Standards Council. The Council is a joint body, founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International, to develop, enhance, disseminate and assist with implementation of standards for credit card security.

The Council manages an industry protocol referred to as the PCI Data Security Standard (DSS), a common set of industry tools and measurements to help ensure the safe handling of sensitive credit card data and the protection of cardholder information. In general terms, any entity which stores, processes, or transmits cardholder data (specifically the primary account number) must comply with the PCI DSS.

Even if an entity does not operate an online booking web site (which must comply with the PCI DSS despite already having an SSL secure certificate and web site "padlock"), so long as an entity uses the Internet to connect to a GDS, a travel supplier agent booking portal, a payment portal for online processing of agency service charges, a settlement system for airline ticket sales or travel sales transactions, a web-based storage or back-up facility for back-office accounting or customer profile data, or any other Internet-facing portal or application (including standard e-mail) used in the transmission of credit card data and cardholder information, the entity must comply with the PCI DSS.

While individual credit card companies have had security and account protection standards for quite some time, a collective effort using joint PCI DSS compliance is now in force and will make it easier for all travel merchants to comply more efficiently and effectively. Travel agencies may have noticed recent changes to GDS login and password management to be more PCI compliant.

IATA member airlines, at their Passenger Agency Conference in Geneva in June 2007, agreed to require agencies to be PCI compliant in order to satisfy IATA resolutions and accreditation requirements.

The Airlines Reporting Corporation (ARC), effective 12 November 2007, will amend the ARC Agent Reporting Agreement and the ARC CTD Reporting Agreement to require U.S. travel agencies and corporate travel departments which are ARC-accredited to be PCI compliant. A summary of ARC's changes to the Agreements, including those amendments regarding PCI, are available on the ARC web site.