If you are having trouble reading this email, read the online version.
Dear Tamara,

There have been many communications recently on PCI DSS compliance in general as well as communication initiated by IATA on IATA agents having to submit proof of PCI DSS compliance. 

The intention of this communication is to help you in understanding the requirements for IATA and Non-IATA agents and the process of providing "proof of PCI DSS Compliance". 

Providing Proof of PCI DSS Compliance

If your agency processes, transmits or stores credit or debit card data, you will need to be PCI Compliant. 

Additionally, as an IATA Agent you are required to provide proof of PCI DSS compliance. This can only be obtained from a certified PCI Security Standards Council partner. 

To help you with this process Travelport has partnered with SecurityMetrics who will provide support and guidance to help you gain your own PCI DSS certification at negotiated preferential rates. 

So how does this process look like?



Validation Requirements



Go to SecurityMetrics where you can register online or request a call back.


Provide information on your current card payments

you will be asked a series of questions in relation to how you take card payments today 

From the information that you provide, you will then be advised which Self-Assessment Questionnaire (SAQ) you will need to complete.


Payment and access to Security Metrics Portal

Payment will then be requested for this service and this can also be made online.

Once you have enrolled in their programme, whether you started the process online or called SecurityMetrics, you will be given access to the SecurityMetrics Portal. Here you will find the questionnaire(s) to complete.


Download proof of compliance and submit to IATA

Once you have passed your PCI DSS compliance you will be able to download your AOC (Attestation of Compliance) from the SecurityMetrics portal.

You can upload this proof of compliance to IATA via your IATA Customer Portal.

What if you can’t provide proof of PCI DSS Compliance?

If you are an IATA agency and are not able to provide proof of compliance IATA will impose non-compliance actions against you. Your agency will be given 30 days to remedy the situation. If your agency has still not demonstrated to IATA’s satisfaction that the Administration Non-Compliance has been remedied we have been informed that IATA will take actions. More info in this detailed overview.

Note for Non-IATA agents

We wish to emphasise that even though the requirement to provide proof of PCI DSS compliance to IATA is only applicable for IATA agents, if your agency touches card data in anyway then you should be following PCI DSS guidelines and whereas it is not currently mandatory to obtain proof of PCI DSS by going through the PCI DSS certification process, it is of course best practice.

If you have any questions, please reach out to your Travelport Account Manager or email us at paymentsupport@travelport.com

Kind regards,

The Travelport team 

© 2018 Travelport. All rights reserved.
Travelport, the Travelport logo, Apollo, Galileo and Worldspan are trademarks of Travelport.
Privacy policy Terms and conditions

If you have trouble displaying this email, view it as a web page.
To manage your email preferences, or opt-out of future marketing communications please click here