The PCI DSS travel industry is one of the contexts where PCI DSS compliance is most often ignored or underestimated. Travel agencies and Online Travel Agencies handle card data at dozens of different touchpoints, from initial booking to hotel guarantee, through to refunds in case of cancellation. Many of these companies are in full PCI scope without full awareness of it, and without ever having completed an SAQ.
Travel agencies and OTAs: why they are in PCI scope without knowing it
A travel agency that collects customer card data to book a flight or hotel through a GDS (Global Distribution System) handles PANs in cleartext, even if it does not process them directly. If the card number is entered on an agency web form, transmitted via email or phone to an operator, or stored in a management system, the agency is fully within the CDE (Cardholder Data Environment) and subject to PCI DSS requirements.
OTAs find themselves in an even more complex position. On one hand they act as intermediaries between the customer and the accommodation facility, on the other they often store card data to guarantee the booking, charge no-shows or make refunds. Each additional function increases the PCI perimeter. And since these operations happen on distributed systems, the risk of handling card data in non-certified environments is high.
Bookings, guarantees and rebookings: every touchpoint is a risk
In the lifecycle of a travel booking, the points where card data is handled are numerous. Initial collection during online booking, transmission to the accommodation facility for the guarantee, storage for possible post-stay charges, refunds in case of cancellation: each of these moments represents a touchpoint that, if not managed correctly, creates PCI risk.
A particularly critical case is that of online bookings with deferred payment. The customer enters the card to guarantee the booking, but payment occurs at check-in or check-out. In the days or weeks in between, the PAN must be stored securely. Many management systems in the tourism sector are not designed to comply with PCI requirements for encryption and access control for long-term storage.
How to reduce PCI scope in the travel sector
The most effective strategy for travel agencies and OTAs is to eliminate PANs from their systems and replace them with tokens. With PCI Proxy EU, card data is collected directly from the customer via a secure form and converted into a token before it transits through the agency's systems. The management system, CRM and back-office systems work only with the token, never receiving the PAN in cleartext.
This approach drastically reduces the PCI perimeter. The agency or OTA no longer needs to certify its internal systems as part of the CDE, and can complete an SAQ A or SAQ A-EP instead of a full audit. The downstream accommodation facility receives the token, which it can use to charge the stay through the acquirer without card data transiting through its servers.
Frequently asked questions
Is a travel agency that only uses GDS in PCI scope?
It depends on how card data reaches the GDS. If the agency enters the PAN in their own terminal or management software before transmitting it to the GDS, they are in PCI scope because they handled the data. If instead they use a GDS-hosted payment form where the customer enters the card directly, the agency may be out of scope provided they never touch the PAN.
Do large OTAs like Booking.com pass PCI responsibility to the hotel?
Large OTAs manage payment through their own PCI-certified systems and transmit to the accommodation facility a virtual card number (VCN) or token, not the customer's PAN. The hotel processes payment through the VCN. However, when the hotel collects a card directly for ancillary services, it re-enters PCI scope for that specific transaction.
How do I manage card data for booking guarantees?
The correct solution is to tokenize the card data at the time of collection and store only the token in the booking system. PCI Proxy EU allows collecting the PAN via a hosted field, converting it to a token and using the token to charge the guarantee or no-show when necessary, without ever storing the PAN in your own systems.
Want to remove card data from your travel management system and reduce PCI scope? Tell us about your situation. Discover PCI Proxy EU.