Kieran Murphy
3 min read

Subscribe to our Blog

But what exactly is required of you as a merchant?

First of all, it’s worth pointing out the 4 levels of merchants as outlined by the PCI standard:

Level 1: Merchants processing more than six million payment card transactions annually via all channels or global merchants identified as level one by any of the card schemes.

Level 2: Merchants processing one million to six million payment card transactions annually via all channels.

Level 3: Merchants processing 20,000 to one million payment card, eCommerce transactions annually.

Level 4: eCommerce merchants only – Merchants processing fewer than 20,000 payment card, eCommerce transactions annually. Non-eCommerce merchants – Merchants processing up to one million payment card transactions annually.

The vast majority of travel agents are considered level 4 merchants, so we will focus on level 4 merchants for this blog post. For further information on what’s required of other levels, you can find out more here. So, here’s a brief overview of the steps a level 4 merchant needs to take in order to become PCI compliant:

Step 1:

As a level 4 merchant, you will need to complete a Self-Assessment Questionnaire (SAQ). SAQ’s may be shared with an acquiring bank and exist to help organisations with self-evaluating their compliance with PCI DSS. Before jumping in head first, you need to be aware of which SAQ applies to your specific business. Below is a table you can use to identify which SAQ is appropriate for you.


Step 2:

Once you’ve identified which SAQ is relevant for your business, you will need to fill out the required form found here. You will then need to complete the questionnaire according to the instructions outlined in the Self-Assessment Questionnaire Instructions and Guidelines.

If you would like professional assistance in completing the document, you can find a list of the PCI SSC (Payment Card Industry Standards Security Council) verified QSA’s here. Or if you would like a more industry specific helping hand, click the button below for to access our travel agent services.


The PCI SSC also provide a wealth of educational resources to enhance your security awareness within the payment card industry. Such resources can be found here.

Step 3:

If you store customer cardholder data electronically, or if your processing systems are connected to the internet, you will need to organise a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). These scans will need to be conducted quarterly. For a list of ASV’s, click here.

Step 4:

Complete the Attestation of Compliance (located within the SAQ).

Step 5:

At this point you should be ready to submit the SAQ, alongside evidence of a passing scan (if this applies to your validation type) and the Attestation of Compliance. This information will need to be sent on to your acquiring bank for review.

PCI DSS doesn’t just apply to the travel industry, it’s a security standard that encompasses any business handling cardholder data. It affects businesses of all sizes, from tiny eCommerce sites to massive international conglomerates; they’re all governed by the same set of security rules. Once you’ve obtained compliance, you’ll have peace of mind that your customers have a satisfactory level of protection from potential fraud. If you're a travel agent trying to obtain compliance, check out our 5 steps to PCI compliance. 



1st March 2018 hails the deadline for IATA’s requirement for all travel agents to be PCI DSS (Payment Card Industry Data Security Standards) compliant. PCI compliance exists to keep your customers data safe. Holiday goers trust you to process their payments in an environment that’s operating adequate security measures, the onus is on you to not let them down.

Contact Us

Access cybersecurity advisory services


Kieran Murphy
Kieran Murphy

See All Articles

Subscribe to our blog

Security never stops. Get the most up-to-date information by subscribing to the Foregenix blog.