skybook-global-logo-2

PCI DSS Compliance for IATA-Accredited Travel Agents

PCI DSS Compliance for IATA-Accredited Travel Agents

PCI DSS compliance is a mandatory condition for IATA-accredited agents that process payment card transactions. SkyBook Global manages the entire journey — scoping, SAQ completion, remediation, and confirmation through the IATA Customer Portal — so your accreditation and your ticketing authority are never at risk.

What Is PCI DSS for IATA Agents?

PCI DSS (Payment Card Industry Data Security Standard) is the global security standard for any business that stores, processes, or transmits payment card data. IATA requires accredited travel agents handling card payments through the BSP to validate PCI DSS compliance and confirm their status via the IATA Customer Portal — making it a condition of accreditation, not an optional best practice.

Non-Compliance Puts More Than Data at Risk

For an IATA agent, PCI DSS sits at the intersection of payment security and accreditation. Falling short exposes the agency on three fronts at once.

 

Accreditation Exposure

PCI DSS status is part of your standing under IATA's agency programme rules. Unconfirmed or lapsed compliance can be treated as non-compliance with accreditation conditions — putting BSP ticketing authority itself in question.

Financial Liability

A cardholder data breach at a non-compliant agency triggers forensic investigation costs, card scheme penalties passed through acquirers, and potential liability for fraudulent transactions — losses no thin-margin agency can absorb.

Commercial Trust

Airlines, corporate clients, and consolidators increasingly ask for evidence of PCI DSS compliance before extending card acceptance or contracts. Compliance is becoming a commercial qualifier, not just a regulatory one.

Which SAQ Applies to Your Agency?

Most travel agencies validate PCI DSS through a Self-Assessment Questionnaire (SAQ). The correct type depends entirely on how your agency touches card data — and selecting the wrong one is the most common compliance error we correct.

SAQ TypeTypical Agency ScenarioRelative Effort
SAQ ACard payments fully outsourced to PCI-compliant third parties — e.g., an online booking engine where the agency never touches card data.Lightest
SAQ A-EPE-commerce agencies whose website affects the security of the payment page, even though a third party processes the card.Moderate
SAQ B / B-IPCard-present agencies using standalone dial-out or IP-connected payment terminals, with no electronic storage of card data.Light–Moderate
SAQ C / C-VTAgencies keying card details into a virtual terminal or payment application — the common pattern for GDS card entry and MOTO bookings.Moderate
SAQ DAgencies that store, process, or transmit cardholder data in their own systems — the most demanding pathway, often requiring remediation first.Highest

SAQ definitions and eligibility criteria are set by the PCI Security Standards Council and are periodically updated. Our assessment confirms the correct pathway for your specific card-handling environment before any questionnaire is signed.

End-to-End PCI DSS Support, Built for IATA Agents

When you choose Skybook for your IATA financial reporting needs, you unlock several key benefits:

Scoping & Gap Assessment

We map every channel where card data enters your agency — GDS entry, booking engine, MOTO, terminals — define your cardholder data environment, and identify exactly what stands between you and compliance.

SAQ Selection & Completion

We determine the correct SAQ type for your environment, complete the questionnaire with your team, and prepare the Attestation of Compliance ready for signature.

Remediation Guidance

Where gaps exist — stored card data, network segmentation, policy documentation, staff practices — we deliver a prioritized remediation plan and support your team through closure.

ASV Scan Coordination

For SAQ types requiring quarterly external vulnerability scans, we coordinate Approved Scanning Vendor (ASV) scans, interpret results, and manage rescans until a passing report is achieved.

IATA Portal Confirmation

We support the confirmation of your PCI DSS compliance status through the IATA Customer Portal and maintain the documentation trail your accreditation reviews and financial assessments depend on.

Annual Renewal Management

PCI DSS validation is an annual cycle. We track your revalidation calendar, refresh your SAQ each year, and make sure compliance never lapses between cycles.

Your Path to Compliance in Five Steps

1. Discovery Call & Scoping

A compliance specialist reviews how your agency accepts and handles card payments across every channel and defines your cardholder data environment.

 
2. Gap Assessment Report

You receive a clear statement of your current position: the applicable SAQ type, the gaps identified, and a prioritized remediation roadmap with realistic timelines.

 
3. Remediation Support

Our team works alongside yours to close gaps — from eliminating stored card data and hardening processes to preparing the security policies PCI DSS requires.

 
4. Validation & Attestation

We complete the SAQ, coordinate ASV scans where required, and prepare your Attestation of Compliance for management signature.

5. IATA Confirmation & Ongoing Renewal

Your compliance status is confirmed through the IATA Customer Portal, and your annual revalidation calendar moves onto our watch — not yours.

Compliance Specialists Who Speak Travel

Generic security consultants understand PCI DSS. Very few understand BSP remittances, GDS card entry, IATA accreditation rules, and how a travel agency actually operates. We do both.

 

Travel-Native Expertise

As the BPO and consulting division of Nucore Software Solutions — the developer of TRAACS and NuTRAACS — we understand the systems and workflows where card data actually lives in a travel agency.

IATA Programme Fluency

Our consultants work with IATA accreditation, financial assessments, and portal processes daily — PCI DSS confirmation is handled inside the same accreditation context, not in isolation.

GCC & Global Reach

351+ clients across 26 countries, with deep operating experience in the UAE, Saudi Arabia, Qatar, Oman, and Bahrain — where regulator and acquirer expectations are rising fastest.

Proven Delivery Standard

A sustained 99.91% quality rating across our engagements, with clients achieving an average of 50% cost savings versus running equivalent functions in-house.

PCI DSS for IATA Agents — Answered

1. Is PCI DSS compliance mandatory for IATA-accredited travel agents?

Yes. IATA requires accredited agents that process payment card transactions through the BSP to be PCI DSS compliant and to confirm their compliance status through the IATA Customer Portal. Non-compliance can be treated under the agency programme rules and may affect the agent’s accreditation standing.

2. What is an SAQ, and which one does my agency need?

A Self-Assessment Questionnaire (SAQ) is the PCI DSS validation tool for merchants not required to undergo a full on-site assessment. The correct type depends on how your agency handles card data — fully outsourced e-commerce, standalone terminals, virtual terminal entry via the GDS, or in-house storage of cardholder data. Choosing the wrong SAQ is one of the most common compliance errors travel agencies make.

3. What happens if an IATA agent is not PCI DSS compliant?

Consequences can include action under IATA’s agency programme rules affecting accreditation, card scheme penalties passed through acquirers, and significant liability in the event of a cardholder data breach — including forensic investigation costs and reputational damage with airline partners.

4. How long does it take to become compliant?

It depends on your card-handling environment. Agencies with fully outsourced payment channels can often complete validation within weeks; agencies that store or transmit cardholder data internally may need remediation before the SAQ can be signed. A scoping assessment is the fastest way to get an accurate timeline for your agency.

5. Does PCI DSS compliance expire?

Validation runs on an annual cycle, and some SAQ types also require quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). SkyBook Global manages the renewal calendar so compliance never lapses between cycles.

6. Can SkyBook Global submit our compliance status to IATA?

Yes. Once your SAQ is completed and signed, our team supports the confirmation of your PCI DSS status through the IATA Customer Portal and maintains the documentation trail needed for accreditation reviews and IATA financial assessments.

Protect Your Accreditation. Secure Your Payments.

SkyBook Global has helped 351+ travel businesses across 26 countries stay compliant, accredited, and audit-ready. Book a no-obligation PCI DSS scoping assessment and know exactly where your agency stands.

If you require our services,

Please contact us at your earliest convenience. Our team will get in touch with you promptly to assist with your requirementsdd Your Heading Text Here

This website uses cookies to improve your web experience.