Skip to main content

More than 75% of sales of travel products happen online. If you are setting up payment infrastructure for your newly built online travel agency or thinking of moving your existing travel agency online, the first thing that should draw your attention is PCI DSS compliance. It applies to the smallest travel companies, and non-compliance could lead to heavy fines from payment processors, which go as high as 100,000 USD a month. Apart from dodging fines, why is it important? What do you need to do from your end? We will answer all these questions in this piece for you. Let’s get to the basics first.

What does PCI DSS compliance mean for OTAs?

PCI DSS stands for Payment Card Industry Data Security Standard, and it’s essentially a set of security guidelines designed to protect the sensitive payment information of your customers. Now, why is this relevant to OTAs?

Essentially, PCI DSS compliance is all about safeguarding your customers’ financial data. When travelers book flights, hotels, or other services through your OTA, they trust you to keep their credit card information safe. Meeting PCI DSS requirements means you’re taking the necessary steps to ensure this trust is well-placed. 

To become PCI DSS compliant, you’ll need to implement specific security measures and practices, such as encryption, access controls, and regular security assessments.  

It might seem like a hassle, but it’s a vital investment in both your business’s reputation and your customers’ peace of mind. Now comes the question of what you must do to remain PCI compliant. Let’s address this next!  

Four levels of PCI DSS compliance and specific requirements

PCI DSS stands for Payment Card Industry Data Security Standard, and it’s essentially a set of security guidelines designed to protect the sensitive payment information of your customers. Now, why is this relevant to OTAs?

Essentially, PCI DSS compliance is all about safeguarding your customers’ financial data. When travelers book flights, hotels, or other services through your OTA, they trust you to keep their credit card information safe. Meeting PCI DSS requirements means you’re taking the necessary steps to ensure this trust is well-placed. 

To become PCI DSS compliant, you’ll need to implement specific security measures and practices, such as encryption, access controls, and regular security assessments.  

It might seem like a hassle, but it’s a vital investment in both your business’s reputation and your customers’ peace of mind. Now comes the question of what you must do to remain PCI compliant. Let’s address this next!  

Level 1: This is the most stringent and typically applies to the largest travel agencies. If your agency processes more than six million transactions per year, you fall into this category.  

  • Visa: Visa, for instance, specifies businesses that process over six million Visa transactions annually as Level 1. Compliance involves robust security measures and an annual onsite security assessment. 
  • Mastercard: Similarly, Mastercard classifies Level 1 merchants as those with over six million Mastercard transactions annually. Compliance with Mastercard’s requirements includes stringent security controls and regular vulnerability assessments. 
  • Discover: Discover follows a similar model, designating Level 1 merchants as those with over six million Discover transactions each year. Compliance involves secure network and application development, access control, and regular security scans. 
  • American Express: American Express, too, categorizes Level 1 merchants as those processing over six million transactions. Compliance with American Express requires specific data protection, encryption, and access control measures. 

Level 2: Travel agencies that process between one million and six million transactions annually fall under this category. 

Visa, Mastercard, Discover, and American Express: Level 2 compliance applies to agencies within the one to six million transactions range for these companies. It involves stringent security controls, vulnerability assessments, and annual self-assessment questionnaires (SAQ). 

Level 3: If your agency processes between 20,000 and one million transactions annually, you fall into the Level 3 category. 

Visa, Mastercard, Discover, and American Express: The compliance requirements for these companies in Level 3 are similar and include ongoing monitoring, security assessments, and annual SAQs to protect payment data.

Level 4: The smaller travel agencies, processing fewer than 20,000 transactions each year, are categorized under this level. While the requirements are less stringent than the others, compliance remains critical. 

Visa, Mastercard, Discover, and American Express: For Level 4, these companies maintain similar compliance requirements, including annual SAQs and regular security scans. 

JCB: Besides Visa, Mastercard, Discover, and American Express, it’s essential to consider JCB. JCB simplifies compliance into two merchant levels, where Level 1 applies to merchants processing over one million transactions annually, and Level 2 applies to those processing fewer than one million transactions. Specific requirements may include encryption, secure payment processing, and security assessments.

The 12 key requirements of PCI DSS for OTAs

The Payment Card Industry Data Security Standard (PCI DSS) outlines a set of security requirements and best practices for organizations that handle credit card transactions. There are 12 key requirements within the PCI DSS framework.

1. Install and Maintain a Firewall Configuration to Protect Cardholder Data:

    • Establish and maintain a firewall and router configuration to protect cardholder data.

2. Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters:

    • Change default passwords and security settings for all systems and software.

3. Protect Cardholder Data:

    • Protect stored cardholder data through encryption and other security measures.
    • Mask PAN (Primary Account Number) data when displayed.

4. Encrypt Transmission of Cardholder Data Across Open, Public Networks:

    • Use strong encryption and security protocols to protect cardholder data during transmission over open or public networks.

5. Use and Regularly Update Anti-Virus Software or Programs:

    • Deploy anti-virus software on all systems commonly affected by malware and keep it current.

6. Develop and Maintain Secure Systems and Applications:

    • Ensure all systems and software are developed and maintained securely, addressing vulnerabilities and security flaws.

7. Restrict Access to Cardholder Data by Business Need to Know:

    • Limit access to cardholder data to only those who need it to perform their job duties.

8. Assign a Unique ID to Each Person with Computer Access:

    • Assign a unique user ID to each individual with access to computer systems and implement robust authentication methods.

9. Restrict Physical Access to Cardholder Data:

    • Implement physical access controls to prevent unauthorized access to data storage areas.

10. Track and Monitor All Access to Network Resources and Cardholder Data:

    • Implement logging and monitoring mechanisms to track all access and usage of network resources and cardholder data.

11. Regularly Test Security Systems and Processes:

    • Conduct regular security testing, including vulnerability scans and penetration testing, to identify and address vulnerabilities.

12. Maintain a Policy that Addresses Information Security for Employees and Contractors:

    • Establish and maintain an information security policy that addresses the security responsibilities of employees and contractors.

In essence, the level of PCI DSS compliance that applies to your agency depends on the volume of transactions you handle. It’s essential to identify your category and adhere to the corresponding security measures and assessments to protect your customers’ payment information, which is crucial to establishing trust. And you must not look at this exercise merely to avoid fines; it adds to your credibility. 

About Vervotech:

Vervotech is a leading Hotel Mapping and Room Mapping API that leverages the power of AI and ML to quickly and accurately identify each property listing through the verification of multiple parameters. With One of the industry’s best coverage of 98% and an accuracy of 99.999%, Vervotech is quickly becoming the mapping software of choice for all leading global companies operating in the travel and hospitality industry. To learn more about Vervotech and the ways it can enhance your business in the long run contact us: sales@vervotech.com

Disclaimer: The author is solely responsible for the content and Vervotech does not exert any control or influence over the author's opinions or statements.