This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

IATA and the PCI DSS

IATA has mandated that all travel agents achieve Payment Card Industry Data Security Standard (PCI DSS) compliance to obtain and retain accreditation as an IATA accredited agent. Despite the prospect of fines and penalties, many agents are not PCI-compliant. There are numerous reasons for this, ranging from a lack of awareness or interest to underestimating the technical complexity of the Standard. Whether you are a large or a small agent looking to achieve and maintain compliance with the PCI DSS, IT Governance can help.


IATA (the International Air Transport Association) is the trade association for the world’s airlines, representing some 275 airlines or 83% of total air traffic. The current Billing and Settlement Plan (BSP) system began in 1971 and now processes more than $230 billion of ticketing transactions annually.

However, the rules of the system were established decades ago, using a one-size-fits-all approach that does not address the different needs, concerns and risks faced by airlines and agents today. This is why IATA will shortly be replacing this monolith with NewGen ISS (IATA Settlement System) to deliver faster, safer and more cost-effective and relevant financial settlement services.

In preparation for its launch, airlines have demanded that IATA supports its own internal compliance project by making the BSP card sales channel PCI DSS compliant. This is why IATA is asking the industry to up its game. This is a strict prerequisite before being admitted into the NewGen ISS and for retaining accreditation as an IATA accredited agent.


Did you know?


  • 80% of organisations failed their initial PCI compliance assessment in 2014.


  • 71% of organisations fell out of compliance less than a year after being assessed compliant.1


  • 81% of cyber attacks target payment card data.2


1 Verizon 2015 PCI Compliance Report
2 Trustwave 2017 Global Security Report



The deadline for compliance

IATA (in consultation with ACTA) has recognised that the process of becoming compliant with the PCI DSS can be complex and lengthy for travel agents. Broken down into six major security goals with 12 areas of focus, the PCI DSS could impose a possible 288 requirements. Consequently, it has extended the enforcement date from June 2017 to 1 March 2018. This effective date aligns with the planned implementation date for NewGen ISS, and PCI DSS compliance is an integral part of the resolution rules.

Enforcement of the Standard

PCI DSS compliance will be a mandatory condition to obtain and retain accreditation as an IATA accredited agent in all its accredited locations under the Passenger Sales Agency Rules in Resolution 818g. Failure to comply with these requirements either as part of the accreditation process or at any time per IATA’s request will result in a Notice of Irregularity. This may result in removal from IATA and require time-consuming reapplication, during which time trade with any IATA members will cease.


Protect profits by managing payment card risk


For travel agents, we believe the most effective way forward is not to view the PCI DSS as an impending compliance burden, but to use it as originally intended: as an information security baseline that provides the opportunity to reduce risk.

IT Governance provides services to support both small and enterprise business PCI activities throughout all stages – from building a PCI programme to performing ongoing assessments aimed at improving your security posture.

Identify the right self-assessment questionnaire (SAQ) to complete and achieve full compliance with the PCI DSS

Streamline your policy documentation requirements

Assess your current PCI compliance posture and produce a strategic roadmap that can be implemented to achieve full compliance with the Standard

Confirm that the controls required by the PCI DSS are in place and effective

Reduce the time and cost needed to achieve compliance

A fully documented RoC that is accepted by your business partners


Speak to an expert

Please contact us for further information or to speak to an expert.

Contact us