PCI DSS: VISA's New Level 4 Requirements for Small OTA's

How VISA's new Level 4 requirements affect small online travel companies

How VISA's new Level 4 requirements affect small online travel companies

Geoff Milton

Until very recently only larger technology companies in the travel industry supply channel have been required to have their systems validated by acquirers in accordance with PCI DSS guidelines. With Visa's recent announcement, from January 2017 even small OTAsChannel Managers and Booking Engines will be affected. This means if a company does not have an accredited solution in place then they should start planning one immediately.

Whilst Visa has always demanded that small online merchants comply with PCI DSS, Visa has been satisfied to allow then to self certify.  Now this all changes as Visa will require annual validation of that compliance.

The emergence of EMV in the US has resulted in a growing expection of a severe increase in card not present hacks. As a result Visa believe that smaller online merchant companies will be at higher risk of a breach since they are less equipped to prevent an attack than most larger companies.


As it happens the majority of hacks that occur are with small companies, not large ones but these never hit the headlines. Cyber criminals view small merchants as easy pickings where the volume of card data stolen is of less importance than the ease of theft.

What Is Required?

Visa require that from 31st March 2016, new level 4 merchants i.e. all small online travel companies will be required to use PCI qualified integrators and reseller professionals.   From 31st January 2017 acquirers will insist all level 4 merchants validate their PCI DSS compliance annually.

Non Compliance Implications

The implications for many small OTAs and Booking Engines that take online payments or capture guaranteed bookings using payment card data are significant.  Similarly solutions that store card data will need to ensure systems are compliant using an accredited solution.  Self accreditation policies will almost definitely not be appropriate in where existing solutions are bespoke.

It is anticipated acquirers will either start a compliance program for the first time or take action to toughen up existing ones. Online travel companies will remain responsible for fines and fees related to a breach. Furthermore should acquirers and merchants not comply then they both face fines and penalties from Visa especially when card data is stolen. 

With anticipated new penalties also being proposed by the European Parliament in 2018 the consequences on non-compliance are becoming progressively more serious, irrespective of company size.  

For more information on steps to remove OTAs from PCI Scope download our white paper.

Subscribe to the

PCI Booking Blog