Home    About Us    Services    Resources    Careers    Contact Us

Services | IATA - PCI DSS Compliance

PCI DSS & Travel Agent Compliance Requirements

Payment Card Industry Data Security Standards (PCI DSS) is a global data security standard to protect confidential payment card information against theft. Airlines have demanded that IATA support their own internal compliance project by making the BSP card sales channel PCI DSS compliant. This is why IATA Accredited Travel Agents now need to become PCI DSS compliant.

We serve as a client advocate, holistically addressing information security needs ranging from the program level all the way down to the project level. We help businesses, organizations and educational institutions plan, build and run successful information security programs, solve focused security problems, and execute specific IT security projects.

What is PCI DSS?

The Payment Card Industry (PCI) Security Standards Council is responsible for managing the security standards for the payment card industry. There are 5 main payment card brands which took part in the creation of this Council: American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.

The Council operates in:
•  Establishing and sustaining a worldwide data security standard with the aim to protect the card holders’ accounts information
•  Minimizing the Data Security Standard (DSS) implementation costs and lead time
•  Accommodating transparency, while giving the stakeholders the opportunity to contribute in the continued improvement, expansion and diffusion of the data security standards
•  Listing all the global security providers in order to aid in the compliance process through ensuring that the main standards are understood and implemented correctly so as to create a secure payment solution

The PCI Security Standards Council affects a large number of people globally. It serves those who are working or are in association with payment cards such as:

•  Merchants of all sizes
•  Financial institutions
•  Point-of-sale vendors
•  Hardware and software developers who are responsible for building up and operating the worldwide infrastructure for processing payments

PCI DSS & Travel Agency Business

The breach or theft of cardholder data affects the entire payment card industry with a knock-on effect where your customers lose trust in your own services as well as in the airline merchants and the acquirers and financial institutions standing behind them. A Customer’s credit rating can be negatively affected, which could lead to enormous personal fallout. Customer facing businesses and financial institutions lose credibility (and in turn, business) and they are also subject to numerous financial liabilities as a result of theft of cardholder data. Therefore, compliance to PCI DSS is mandated by the International Card Payment Schemes worldwide.

Why security is significant for the Travel Agent?

The information that is being processed is of a very sensitive nature, hence, it is considered as a high priority for retailers to comply with PCI DSS standards. An agent that is not PCI DSS compliant, is not in a position to completely assure the security of their customers’ data, consequently, the agent will be vulnerable to Card Scheme fines, losses as a result of fraud, operational costs or even damages associated with reputation. Being PCI DSS compliant is in each agents’ best interest, not only because it secures the customers’ sensitive information or a particular financial situation, it also leads to a safer organization network – which is in many cases liable to poor system maintenance – giving cybercriminals the freedom to enter the system.

What are the potential liabilities that the agency will face?

•  Lost confidence, so customers go to other merchants
•  Diminished sales
•  Fraud losses
•  Higher subsequent costs of compliance
•  Legal costs, settlements and judgments
•  Fines and penalties
•  Termination of ability to accept payment cards
•  Going out of business

Understanding and Selecting right SAQ-

All merchants are required to comply with the PCI DSS as applicable to their environments at all times. The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants report the results of their PCI DSS self-assessment.

The different SAQ types are shown in the table below to help you identify which SAQ best applies to your organization. Detailed descriptions for each SAQ are provided within the applicable SAQ
Sr No SAQ Description
1 A Card-not-present merchants (e-commerce or mail/telephone-order), that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

Not applicable to face-to-face channels.

2 A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

Applicable only to e-commerce channels.

3 B Merchants using only:
▪ Imprint machines with no electronic cardholder data storage, and/or
▪ Standalone, dial-out terminals with no electronic cardholder data storage.

Not applicable to e-commerce channels.

4 B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.

Not applicable to e-commerce channels.

5 C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.

Not applicable to e-commerce channels.

6 C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.

Not applicable to e-commerce channels.

7 P2PE-HW Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed Point-to-Point Encryption (P2PE) solution, with no electronic cardholder data storage.

Not applicable to e-commerce channels.

8 D SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.

These SAQs include questions that apply to a specific type of merchant environment, as defined in the related SAQ eligibility criteria. If there are PCI DSS requirements applicable to your environment that are not covered in a given SAQ, it may be an indication that this SAQ is not suitable for your environment. Additionally, you must comply with all applicable PCI DSS requirements in order to be PCI DSS compliant.

Note: Entities should ensure they meet all the requirements for a particular SAQ before using the SAQ. Merchants are encouraged to contact their merchant bank (acquirer) or the applicable payment brand(s) or Qualified Security Assessors (QSA) to identify the appropriate SAQ based on their eligibility.

Please register to get your PCI DSS Compliance completed.


Talk to our experts to know more about our Data Security and Privacy offerings

Speak to our Security Expert

  Offline: Leave Message