William Galkin has written a decent story on a topic every airline selling via the internet should be aware of. I’ve covered payments before, but today’s post is a very specific (but very important) subset of card acceptance. 

“Using a third party to process, store or transmit credit card information does not remove a merchant’s obligation to comply with PCI DSS for these functions. Therefore, the merchant is responsible to see to it that the third party providing these functions is compliant, or face the consquences. Section 12.8.2 of PCI DSS requires a merchant to “[m]aintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.” Merchant’s can’t assume that third party vendors are PCI compliant.”

I was talking recently to a senior executive from one of the card companies and he was asking about non compliance I had personally seen at airlines. He was trying to get me to name names, but of course that was never going to happen. When he talks to the next person in the know, those airlines may not be so lucky. Clearly companies that do not take PCI compliance seriously do so at their own peril.