Compliance of IATA Accredited Agents to PCI DSS

Dear Members, 

In reference to advice given to IATA concerning the risks associated with payment card transactions and potential data breaches, there is a need to confirm the compliance of Accredited Agents operating within the BSP to be Payment Card Industry (PCI) Data Security Standard (DSS) compliant.

Effective March 2018, PCI DSS compliance will be a mandatory condition to obtain and retain accreditation as an IATA Accredited Agent in all its Accredited locations under the Passenger Sales Agency Rules in Resolution 818g. Non-compliance with PCI DSS security standards could result in 2 instances of irregularity being recorded against your agency.

American Express, Discover Financial Services, JCB International, MasterCard, and Visa are the founding members of the Payment Card Industry Security Standards Council . The Council’s mission is to enhance payment card security by fostering broad adoption of the PCI Data Security Standard for merchants and processors handling sensitive payment card information. The Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection, and it provides common data security standards on a global basis to protect confidential payment card information against theft. All entities that store, process and transmit payment card data are required to adhere to PCI security standards, which are the technical and operational conditions to preserve payment card security. 

The breach or theft of cardholder data affects the entire payment card industry with a knock on effect where customers lose trust in merchants or financial institutions, customers credit can be negatively affected, which could lead to enormous personal fallout. Merchants and financial institutions lose credibility (and in turn, business) and they are also subject to numerous financial liabilities as a result of theft of cardholder data. Therefore, compliance to PCI DSS is mandated by the International Card Payment Schemes worldwide. When you accept card transactions on your own merchant agreement and/or conduct BSP card transactions, you therefore fall under such PCI DSS compliance obligations. 

There is a need to ensure PCI DSS compliance in the community of IATA Accredited Agents. PCI DSS compliance benefits all parties in the distribution chain by ensuring that sensitive payment card data is handled confidentially for the protection and benefit of consumers. PCI DSS compliance is a requirement reflected in Resolution 890 of the IATA Passenger Agency Conference. 

IATA supports PCI DSS compliance by requiring that industry communication channels like BSPlink and the data processing systems are PCI DSS compliant. Additionally, IATA sets standards where payment cards are used as forms of identification or as forms of payment in self-service common use terminals (such as check-in kiosks). Finally, IATA demands that all its service providers be PCI DSS compliant and annually provide IATA with evidence of valid compliance.


To support current and future IATA Accredited Agents to learn more about how to become PCI DSS compliant, obtain evidence or re-validate compliance, please visit:

Please do not hesitate to contact IATA's Customer Service through IATA Customer Portal if you need any further information.


Who do I approach for PCI DSS compliance?
We suggest that you contact your acquirer. 

What if my acquirer did not ask for any documentation?
Even if your acquirer did not request for any compliance evidence, this is the responsibility of each legal entity processing credit card transactions to be PCI DSS compliant.

What if I do not have an acquirer?
We suggest that you contact the credit card branch that you are working with.

How do I contact the payment card brands?
You can see below the contact details for the card payment brand:

American Express 


JCB International 


Visa Inc

Why are there multiple PCI DSS Self-assessment Questionnaires (SAQs)?
Every self- assessment questionnaire applies to a specific environment, hence, it is substantial for all merchants and service providers to choose the right SAQ, when they are going through the self-assessment process. In a lot of cases, companies will realize that they are not meeting all the necessary criteria for the SAQ they want to fill in, and as a result they find themselves encumbered with a number PCI DSS requirements they find hard to process. This shows that it is important to determine which SAQ best fits the profile of your company. 

Are compliance certificates recognized for PCI DSS validation?
The answer to this question is no. Any sort of documentation which is not under the authority and validation of PCI DSS, will not be accepted for indicating the company’s compliance with PCI DSS.

What is a non-compliance action that IATA will take if I cannot present the PCI DSS compliance evidence?
2 instances of irregularity will be served to agents who will fail to provide evidence of compliance with PCI DSS.

What do I need to provide to IATA to show my agency compliance for PCI DSS?
Depending on the number of card transactions handled by the Agents between their own card sales and the BSP card sales, the documents you will have to provide to IATA will vary. Please refer to section: PCI DSS Compliance Procedure.

What is an attestation of compliance?
An Attestation of Compliance (AOC) is a certification which shows that you are under the eligibility to perform the Self-Assessment questionnaire. The PCI DSS SAQ itself, is included in AOC and composed of two parts: a number of questions which correspond to PCI DSS requirements and the second one is the Attestation of Compliance. The latter has to be completed as a declaration of the results of the service provider’s assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS).

As a travel professional issuing and selling airline tickets, am I considered a merchant?
All the airline transactions processed through a GDS (Global Distribution System) and IATA BSP, the airline itself is considered as the merchant, not the travel agent.

Where can I find more information related to PCI?