If you operate with Booking.com, you might receive credit card data via XML even if you are not PCI DSS compliant yet. This will change shortly, because Booking.com set a deadline to remove all credit card details from the XML messages of the properties you connect to unless you upload a valid PCI DSS Attestation of Compliance (AoC) or Self-Assessment-Questionnaire-D (SAQ), depending on the yearly processed volume of credit cards.

First things first, why do I have to upload an AoC?

PCI DSS and cardholder security is key for OTAs such as Booking.com and many other travel portals these days. Being compliant with PCI means that companies have implemented a whole set of security measures to keep cardholder data secure. This includes also the requirement, that a PCI -compliant company is not allowed to transmit cardholder data to a non-compliant company. Consequently, Booking.com is required to make sure that all connected partners that receive credit card data via XML comply with the same PCI regulations. Therefore, it is your obligation to proof your compliance with an Attestation of Compliance (AoC), the only official document recognized for PCI validation.

What happens, if I do not upload an AoC?

Booking.com has set deadlines and reminds every partner to upload the Attestation of Compliance (AoC). Failing to upload a valid AoC and resisting to Booking.com’s deadlines results in a removal of credit card data from the XML messages of the properties you connect to. That means that your customers will not be able to directly process credit card data anymore (email below).

How can I get a valid AoC?

In order to receive a valid Attestation of Compliance (AoC) and show your PCI compliance to Booking.com, there are two approaches. Basically, it’s a Make or Buy decision but the approaches behind it are extremely different. While the Make solution means that you still control and store all sensitive card data within your own environment, the Buy solution uses a different approach and ensures that no sensitive card data ever touch your servers anymore.

Make: Build your own PCI-compliant environment:

The first one is to build your own PCI-compliant environment, document and report all PCI DSS relevant measures, and finally undergo a full PCI audit depending on the yearly processed volume of credit cards. Even if a Make decision comes at some expense and is not easy to implement, it still could make sense for some kind of businesses. For instance, if you have other business units within a group structure that already maintain a PCI environment or if you have organizational restrictions that do not allow software as a service solutions.

Buy: Use a tokenization service to comply:

The other one is to use a tokenization as a service solution that takes care of PCI compliance for you by shielding your servers from sensitive card data. Thereby, you can simply upload the Attestation of Compliance (AoC) of your provider to Booking.com. In other words, you bank on the PCI compliance of the tokenization provider to achieve PCI compliance. This can be interesting for businesses that do not want to focus on PCI compliance but keep customers credit card data secure. Booking.com and most other booking portals are familiar with such solutions and often promote them directly to support their partners in becoming PCI compliance.

Feel free to talk about your challenges and experiences when it comes to showing PCI compliance to Booking.com.