If you operate an IATA-approved travel agency and are preparing to apply for renewal in 2025, please note that PCI DSS data security standard compliance certification has been listed as one of the documents required for IATA travel agency renewal. If you are unsure what PCI DSS is or how to get started, don’t worry. Below, I will walk you through what PCI DSS is, why it is so important, and how travel agencies can complete the entire compliance process.
Recommended reading:[Travel Agency License Application Guide] Key Points to Know When Opening a Travel Agency in Hong Kong in 2025!
What Is IATA Travel Agency Renewal?
IATA travel agency renewal refers to the process whereby travel agencies that have obtained IATA (International Air Transport Association) certification apply to IATA to extend their certification before their certification expires. Only travel agencies that successfully renew their certification can continue to use the IATA code, settle ticket payments directly with airlines through the BSP (Billing and Settlement Plan) system, and enjoy the various rights and benefits of IATA-certified travel agencies.
Why Should IATA-Certified Travel Agencies Obtain PCI DSS Certification?
If you operate an IATA-certified travel agency and process credit card transactions through the BSP system, you must obtain PCI DSS certification. This is not a sudden requirement imposed by IATA, but rather a global airline initiative to ensure the security of the entire payment process, requiring IATA to monitor whether its partner travel agencies comply with payment security standards.(Click to view IATA’s PCI DSS compliance requirements for travel agencies)
So What Is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard, which is established by the Payment Card Industry Security Standards Council (PCI SSC).This committee is composed of the world’s five largest credit card companies: Visa Inc., MasterCard, American Express, JCB International, and Discover Financial Services. Their goal is clear: to improve global credit card data security and prevent credit card data breaches and fraud.
This standard covers many aspects, including:
- How to protect user credit card account information;
- Provide clear implementation guidelines and transparent mechanisms;
- Establish a globally accessible list of qualified security service providers to help companies find the right professional assistance.。
Simply put, PCI DSS is an internationally recognized credit card data protection standard that must be complied with if you accept credit card payments. For IATA-certified travel agencies, this is an essential part of maintaining their operating qualifications and is a mandatory requirement of IATA.。
If you are preparing to renew your IATA travel agency license, remember to prepare your PCI DSS certification in advance to avoid business interruptions due to incomplete documentation. If you need assistance with PCI DSS compliance or the renewal process, please contact travelconnect!
Why Is PCI DSS so Important for Travel Agencies?
Imagine this: a customer gives you their credit card information, and if that information is stolen due to insufficient protection, not only will the customer lose trust in you, but your brand, airline, credit card issuer, and even the entire industry will be dragged down. The customer’s credit will be damaged, financial losses will occur, and your business may also be penalized, face litigation, have cards suspended, or even be forced to close.
This is why all credit card organizations worldwide require that: All companies that store or process credit card or debit card data, regardless of size, must comply with PCI DSS standards.
How Can My Travel Agency Obtain PCI DSS Certification?
If you are an IATA-accredited travel agency, here are the three steps recommended by IATA:
- Step 1: Assess the scope of credit card business
First, understand the type of credit cards your agent uses (B2B, B2C, or personal cards), as well as the systems and equipment used by travel agencies to process and store cardholder information. The focus of this step is to understand the current flow of card information and identify risk points within the travel agency.
- Step 2: Obtain compliance certification
Please note! IATA has partnered with VikingCloud to offer the public a certification process called “SecureTrust Manage PCI.” Of course, you can also choose other officially recognized QSAs (Qualified Security Assessors), such as ZeroRisk, Travelport, or Ubitrak. If you are unsure how to proceed, please contact travelconnect, and we can help you apply for PCI DSS certification.
- Step 3: Submit documents to IATA
Log in to the IATA customer portal, follow the instructions to upload your PCI DSS compliance documents, and submit them. The process is not complicated, but remember to have all the necessary information ready.
IATA travel agency renewal is not as simple as just paying the fee. As payment security standards continue to rise, PCI DSS certification has become the key factor in determining whether renewal will be approved. This is not a matter of choice, but a reality that the travel industry must face. If you wish to obtain PCI DSS certification more quickly, please feel free to contact Travelconnect—we are more than happy to assist you!
Further reading: [Registering a Travel Agency] How to successfully obtain a travel agency license?
Frequently Asked Questions About IATA Travel Agency Renewals
The answer is yes—it is necessary. As long as your travel agency processes credit card payments through IATA’s BSP system, you must provide PCI DSS compliance certification. Regardless of the size of your company, as long as you come into contact with customer credit card information (including collection, transmission, or storage), you must comply with this standard.
Travel agencies that fail to provide PCI DSS compliance certification may result in IATA rejecting your renewal application, further affecting your eligibility to participate in the BSP system and issue tickets, and even affecting your ability to accept credit card payments.
A QSA (Qualified Security Assessor) is a professional assessor authorized by the PCI Security Standards Council. They are responsible for guiding companies in assessing their compliance with PCI DSS standards and providing officially recognized compliance certificates, which are an indispensable part of the certification process.
