If you operate with Booking.com, you might receive credit card data via XML even if you are not PCI DSS compliant yet. This will change shortly, because Booking.com set a deadline to remove all credit card details from the XML messages of the properties you connect to unless you upload a valid PCI DSS Attestation of Compliance (AoC) or Self-Assessment-Questionnaire-D (SAQ), depending on the yearly processed volume of credit cards.