This past week, the International Air Transport Association (IATA) announced that it will now require accredited travel agencies to comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) in 2018. As the name implies, the requirements within the PCI DSS provide organizations with guidance on how to secure payment card data by implementing strong security policies, technologies, and processes. It applies to all businesses and organizations that accept and process payment cards and is governed by PCI Security Standards Council (PCI SSC).

Travel companies who handle credit card payments have always had to comply with the PCI DSS. However, much like many small merchants, smaller travel companies may not have heard of PCI or been held accountable for PCI compliance due to the small volume of transactions or numerous travel partners leveraged for payments. With the recent breaches the industry has faced and repeated and targeted attacks from global criminal organizations, the IATA has decided to face the problem head on and help facilitate and improve the security of their members.

By March 2018, agencies must be in compliance with the DSS or risk losing their IATA accreditation. The original due date was scheduled for this past June, but was met with some heavy pushback from the industry, citing short notice and limited resources to fully understand and implement the complexities of the DSS. Even still, March isn’t far away, and most travel companies are small and lack a fully-staffed IT department and/or don’t have the budget to launch a full-blown compliance program implemented by a PCI-certified Qualified Security Assessor (QSA).