Payment Card Industry Data Security Standards (PCI DSS) is a global data security standard to protect confidential payment card information against theft. Airlines have demanded that IATA support their own internal compliance project by making the BSP card sales channel PCI DSS compliant. This is why IATA Accredited Travel Agents now need to become PCI DSS compliant. On this page you will find the procedure to follow to comply with this standard.

​What is PCI DSS

The Payment Card Industry (PCI) Security Standards Council is responsible for managing the security standards for the payment card industry. There are 5 main payment card brands which took part in the creation of this Council: American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.

The Council operates in:

  • Establishing and sustaining a worldwide data security standard with the aim to protect the card holders’ accounts information
  • Minimizing the Data Security Standard (DSS) implementation costs and lead time
  • Accommodating transparency, while giving the stakeholders the opportunity to contribute in the continued improvement, expansion and diffusion of the data security standards
  • Listing all the global security providers in order to aid in the compliance process through ensuring that the main standards are understood and implemented correctly so as to create a secure payment solution

The PCI Security Standards Council affects a large number of people globally. It serves those who are working or are in association with payment cards such as:

  • Merchants of all sizes
  • Financial institutions
  • Point-of-sale vendors
  • Hardware and software developers who are responsible for building up and operating the worldwide infrastructure for processing payments

PCI DSS & Travel Agency Business

The breach or theft of cardholder data affects the entire payment card industry with a knock on effect where your customers lose trust in your own services as well as in the airline merchants and the acquirers and financial institutions standing behind them. A Customer’s credit rating can be negatively affected, which could lead to enormous personal fallout. Customer facing businesses and financial institutions lose credibility (and in turn, business) and they are also subject to numerous financial liabilities as a result of theft of cardholder data. Therefore, compliance to PCI DSS is mandated by the International Card Payment Schemes worldwide.

Why security is significant for the Agent?

The information that is being processed is of a very sensitive nature, hence, it is considered as a high priority for retailers to comply with PCI DSS standards. An agent that is not PCI DSS compliant, is not in a position to completely assure the security of their customers’ data, consequently, the agent will be vulnerable to Card Scheme fines, losses as a result of fraud, operational costs or even damages associated with reputation. Being PCI DSS compliant is in each agents’ best interest, not only because it secures the customers’ sensitive information or a particular financial situation, it also leads to a safer organization network – which is in many cases liable to poor system maintenance – giving cybercriminals the freedom to enter the system.

What are the potential liabilities that the agency will face?

  • Lost confidence, so customers go to other merchants
  • Diminished sales
  • Fraud losses
  • Higher subsequent costs of compliance
  • Legal costs, settlements and judgments
  • Fines and penalties
  • Termination of ability to accept payment cards
  • Going out of business

How to become PCI DSS compliant

IATA is committed to the industry objective of supporting Travel Agent achievement of PCI DSS compliance in a timely manner, and welcomes all possible solution providers who can assist Travel Agents with this important cause.

As part of this commitment, IATA has signed an agreement with Trustwave, a Qualified Security Assessor (QSA) by the PCI Security Standards Council, to obtain PCI DSS certification. TrustKeeper PCI Manager will walk you through the steps that are right for your Travel Agent business type, making it easy for you to understand what needs to be addressed, how to find the solution, and easily check-off the task once it is complete.

IATA will also accept evidence of PCI DSS compliance from any other certified PCI Security Standards Council partner. To this end, IATA is pleased to see other industry partners such as Advantio, Travelport or Ubitrak facilitating PCI DSS certification.

There are 3 steps to reach compliance:

1. Assess

  • Identification of cardholder information
  • Taking an inventory of IT assets and business processes for payment card processing.
  • Analysis of vulnerabilities

2. Remediate

  • Fixing the vulnerabilities
  • Eliminating the storage of cardholder data unless absolutely necessary

3. Report

  • Compiling and submitting required reports to the appropriate acquiring bank and card brands

​​Download the full PCI DSS compliance procedure (pdf)

Payment Card Industry Data Security Standards (PCI DSS) is a global data security standard to protect confidential payment card information against theft. Airlines have demanded that IATA support their own internal compliance project by making the BSP card sales channel PCI DSS compliant. This is why IATA Accredited Travel Agents now need to become PCI DSS compliant. On this page you will find the procedure to follow to comply with this standard.