PCI DSS Compliance Self-Service Step-by-Step Guide

This is a step-by-step guide for the new self-service that will allow you to submit your PCI
DSS Compliance through the IATA Customer Portal

Note: this service is only available to the contacts from your Head Entity who have
BOTH Administrator and Authorized Signatory status.

Step 1

Log into the Customer Portal.

Step 2

Under ‘Services’ select ‘IATA Accreditation & Changes’.

Step 3

Under the section ‘Agency Accreditation’, click on ‘Update your PCI DSS Compliance
Status’.

Step 4 – A. IATA Code Selection

From the list of locations, select the IATA Code(s) for which you want to submit the PCI
DSS Compliance Status:

a. If you only have one Head Entity, you will see your IATA code.
b. If you have one or more Associate Entities, please select the IATA code(s) for which
you like to update the PCI DSS Compliance status.

*Please note that draft changes must be submitted within 2 weeks, otherwise you will need
to restart the submission of your declaration.
Step 5 – B. Upload file (I)

Select your PCI DSS Status:

• Compliant
• Not accepting customer cards
• Corporate card

If your agency processes, transmits or stores credit or debit card data, you will need
to be PCI compliant.

1. You are required to submit a copy of your Attestation of Compliance (AoC).

*IATA will only accept evidence of compliance from any certified PCI Security
Standards Council partner. The Attestation of Compliance is the only valid
document to attest compliance status with PCI DSS. Documents that mention
“Certificate of Compliance” will not be accepted”.

2. Enter the Expiry Date of your AoC:

• If you have performed the assessment (Part 3b. Merchant Attestation), the Expiry
Date is the date mentioned under Part 3b + 1 year.
• If a Qualified Security Assessor (QSA) has been involved in the assessment (Part
3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable)), the Expiry
Date is the date under Part 3c +1 year.
Step 6 – B. Upload file (II)

Select your PCI DSS Status:

• Compliant
• Not accepting customer cards
• Corporate card

If your agency is not issuing any transactions utilizing credit card form of payment and
not intending to do so, you can submit Nil Credit Card Self-Declaration in the next
step.

Step 7 – B. Upload file (III)

Select your PCI DSS Status:

• Compliant
• Not accepting customer cards
• Corporate card

If your agency is not issuing any transactions utilizing the card of a client, and only use
cards issued in the Agent’s name or in the name of a person permitted to act on the
Agent’s behalf (corporate card), you can declare this in the next step.

*Please make sure that your corporate card/product is registered in BSPlink, and that you
have Airline Consents in the system to use this form of payment.

Step 8 – C. Submit to IATA

You will see different Terms and Conditions displayed depending on the PCI DSS Status
you have selected:

Compliant
Not accepting customer cards

Corporate card

Please read the Terms & Conditions and accept them.

Then click on ‘Submit to IATA’.