PCI DSS compliance is a mandatory condition for IATA-accredited agents that process payment card transactions. SkyBook Global manages the entire journey — scoping, SAQ completion, remediation, and confirmation through the IATA Customer Portal — so your accreditation and your ticketing authority are never at risk.
PCI DSS (Payment Card Industry Data Security Standard) is the global security standard for any business that stores, processes, or transmits payment card data. IATA requires accredited travel agents handling card payments through the BSP to validate PCI DSS compliance and confirm their status via the IATA Customer Portal — making it a condition of accreditation, not an optional best practice.
For an IATA agent, PCI DSS sits at the intersection of payment security and accreditation. Falling short exposes the agency on three fronts at once.
PCI DSS status is part of your standing under IATA's agency programme rules. Unconfirmed or lapsed compliance can be treated as non-compliance with accreditation conditions — putting BSP ticketing authority itself in question.
A cardholder data breach at a non-compliant agency triggers forensic investigation costs, card scheme penalties passed through acquirers, and potential liability for fraudulent transactions — losses no thin-margin agency can absorb.
Airlines, corporate clients, and consolidators increasingly ask for evidence of PCI DSS compliance before extending card acceptance or contracts. Compliance is becoming a commercial qualifier, not just a regulatory one.
Most travel agencies validate PCI DSS through a Self-Assessment Questionnaire (SAQ). The correct type depends entirely on how your agency touches card data — and selecting the wrong one is the most common compliance error we correct.
| SAQ Type | Typical Agency Scenario | Relative Effort |
|---|---|---|
| SAQ A | Card payments fully outsourced to PCI-compliant third parties — e.g., an online booking engine where the agency never touches card data. | Lightest |
| SAQ A-EP | E-commerce agencies whose website affects the security of the payment page, even though a third party processes the card. | Moderate |
| SAQ B / B-IP | Card-present agencies using standalone dial-out or IP-connected payment terminals, with no electronic storage of card data. | Light–Moderate |
| SAQ C / C-VT | Agencies keying card details into a virtual terminal or payment application — the common pattern for GDS card entry and MOTO bookings. | Moderate |
| SAQ D | Agencies that store, process, or transmit cardholder data in their own systems — the most demanding pathway, often requiring remediation first. | Highest |
SAQ definitions and eligibility criteria are set by the PCI Security Standards Council and are periodically updated. Our assessment confirms the correct pathway for your specific card-handling environment before any questionnaire is signed.
When you choose Skybook for your IATA financial reporting needs, you unlock several key benefits:
We map every channel where card data enters your agency — GDS entry, booking engine, MOTO, terminals — define your cardholder data environment, and identify exactly what stands between you and compliance.
We determine the correct SAQ type for your environment, complete the questionnaire with your team, and prepare the Attestation of Compliance ready for signature.
Where gaps exist — stored card data, network segmentation, policy documentation, staff practices — we deliver a prioritized remediation plan and support your team through closure.
For SAQ types requiring quarterly external vulnerability scans, we coordinate Approved Scanning Vendor (ASV) scans, interpret results, and manage rescans until a passing report is achieved.
We support the confirmation of your PCI DSS compliance status through the IATA Customer Portal and maintain the documentation trail your accreditation reviews and financial assessments depend on.
PCI DSS validation is an annual cycle. We track your revalidation calendar, refresh your SAQ each year, and make sure compliance never lapses between cycles.
A compliance specialist reviews how your agency accepts and handles card payments across every channel and defines your cardholder data environment.
You receive a clear statement of your current position: the applicable SAQ type, the gaps identified, and a prioritized remediation roadmap with realistic timelines.
Our team works alongside yours to close gaps — from eliminating stored card data and hardening processes to preparing the security policies PCI DSS requires.
We complete the SAQ, coordinate ASV scans where required, and prepare your Attestation of Compliance for management signature.
Your compliance status is confirmed through the IATA Customer Portal, and your annual revalidation calendar moves onto our watch — not yours.
Generic security consultants understand PCI DSS. Very few understand BSP remittances, GDS card entry, IATA accreditation rules, and how a travel agency actually operates. We do both.
As the BPO and consulting division of Nucore Software Solutions — the developer of TRAACS and NuTRAACS — we understand the systems and workflows where card data actually lives in a travel agency.
Our consultants work with IATA accreditation, financial assessments, and portal processes daily — PCI DSS confirmation is handled inside the same accreditation context, not in isolation.
351+ clients across 26 countries, with deep operating experience in the UAE, Saudi Arabia, Qatar, Oman, and Bahrain — where regulator and acquirer expectations are rising fastest.
A sustained 99.91% quality rating across our engagements, with clients achieving an average of 50% cost savings versus running equivalent functions in-house.
Yes. IATA requires accredited agents that process payment card transactions through the BSP to be PCI DSS compliant and to confirm their compliance status through the IATA Customer Portal. Non-compliance can be treated under the agency programme rules and may affect the agent’s accreditation standing.
A Self-Assessment Questionnaire (SAQ) is the PCI DSS validation tool for merchants not required to undergo a full on-site assessment. The correct type depends on how your agency handles card data — fully outsourced e-commerce, standalone terminals, virtual terminal entry via the GDS, or in-house storage of cardholder data. Choosing the wrong SAQ is one of the most common compliance errors travel agencies make.
Consequences can include action under IATA’s agency programme rules affecting accreditation, card scheme penalties passed through acquirers, and significant liability in the event of a cardholder data breach — including forensic investigation costs and reputational damage with airline partners.
It depends on your card-handling environment. Agencies with fully outsourced payment channels can often complete validation within weeks; agencies that store or transmit cardholder data internally may need remediation before the SAQ can be signed. A scoping assessment is the fastest way to get an accurate timeline for your agency.
Validation runs on an annual cycle, and some SAQ types also require quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). SkyBook Global manages the renewal calendar so compliance never lapses between cycles.
Yes. Once your SAQ is completed and signed, our team supports the confirmation of your PCI DSS status through the IATA Customer Portal and maintains the documentation trail needed for accreditation reviews and IATA financial assessments.
SkyBook Global has helped 351+ travel businesses across 26 countries stay compliant, accredited, and audit-ready. Book a no-obligation PCI DSS scoping assessment and know exactly where your agency stands.
Adding {{itemName}} to cart
Added {{itemName}} to cart