Google sign in to chrome screen

Tour Operator PCI Compliance

by

Tour Operator PCI Compliance

Bottom Line Up Front

Tour operators face unique PCI compliance challenges because you’re handling payments across multiple channels: website bookings, phone reservations, partner travel agents, and often storing cards for deposits or future charges. Most tour operators need SAQ D because they’re storing cardholder data for future transactions, but many could qualify for SAQ A-EP or SAQ C-VT by switching to tokenization. The biggest mistake? Thinking that because you’re “just a tour company” and not a retailer, PCI doesn’t apply — meanwhile, you’re sitting on spreadsheets full of credit card numbers from group bookings.

How Tour Operators Process Payments

Your payment environment is more complex than most businesses realize. You’re not just taking one-time payments — you’re managing deposits, final payments, cancellations, and refunds across extended booking windows.

Typical Payment Channels

Online bookings through your website represent your highest volume channel. You’re either using an integrated booking engine or a standalone e-commerce platform. Many tour operators use specialized booking software like FareHarbor, Rezdy, or Bokun, each with different PCI implications.

Phone reservations remain critical for high-value bookings and older demographics. Your staff takes card details over the phone, often writing them down or entering them into your booking system. This creates significant compliance challenges if you’re not using proper call recording controls or P2PE solutions.

Partner channels add complexity. Travel agents book on behalf of clients, sometimes providing card details through email (never acceptable) or partner portals. You might also work with OTAs (Online Travel Agencies) that handle payments but pass you cardholder data for deposits or changes.

Where Cardholder Data Lives

The typical tour operator stores cardholder data in:

  • Booking management systems (often cloud-based SaaS platforms)
  • Email inboxes from booking confirmations and change requests
  • Spreadsheets for group bookings and manifest management
  • Physical files in offices for phone bookings
  • Accounting systems for reconciliation

This scattered data landscape is why most tour operators need SAQ D — you’re storing electronic cardholder data across multiple systems. However, if you’re using only virtual terminals without storage, you might qualify for SAQ C-VT. If you’ve moved to a fully hosted payment page with no direct card handling, you could achieve SAQ A-EP.

Industry-Specific Compliance Challenges

Tour operators face compliance hurdles that retail doesn’t worry about. Your booking-to-travel window means you’re often storing card data for months, creating extended exposure.

Seasonal Staff and Remote Operations

Peak season brings temporary staff who need access to payment systems. Training seasonal employees on PCI requirements while managing summer rush bookings challenges even well-organized operators. Your guides might also collect payments in the field using mobile devices, extending your CDE to smartphones and tablets.

Multi-Currency and International Transactions

You’re processing payments from international customers in multiple currencies, often through different payment gateways for different regions. Each gateway relationship affects your PCI scope. Currency conversion services might also touch cardholder data, adding another vendor to manage.

Complex Refund and Modification Patterns

Tour bookings change constantly — weather cancellations, itinerary modifications, group size changes. Your staff needs ongoing access to payment data for refunds and additional charges. This legitimate business need for data retention conflicts with PCI’s mandate to minimize storage.

Partner and Supplier Payments

You’re not just collecting from customers — you’re paying hotels, transport companies, local guides, and activity providers. Some operators use customer cards to pay suppliers directly (never recommended), while others process supplier payments separately. Both patterns create compliance implications.

Paper-Heavy Legacy Processes

Despite digital transformation, many tour operators still rely on paper waivers, booking forms, and payment authorization documents. Physical storage of any document containing card numbers brings Requirement 9 (physical access controls) into full scope.

Your Compliance Roadmap

Getting compliant doesn’t require abandoning how you do business — it requires understanding your data flows and implementing appropriate controls.

Step 1: Determine Your Merchant Level and SAQ Type

Your acquiring bank assigns your merchant level based on annual Visa transaction volume:

  • Level 4: Under 20,000 Visa e-commerce or under 1 million total Visa transactions
  • Level 3: 20,000 to 1 million Visa e-commerce transactions
  • Level 2: 1 to 6 million total Visa transactions
  • Level 1: Over 6 million Visa transactions

Most tour operators fall into Level 3 or 4. Your processor will tell you which SAQ to complete, but understanding your actual payment flow helps ensure you’re using the right one.

Step 2: Map Your Cardholder Data Flow

Create a simple diagram showing every point where card data enters your business:

  • Website booking form → Payment gateway → Booking system
  • Phone call → Staff member → Virtual terminal
  • Email from customer → Staff inbox → Manual entry
  • Partner portal → API → Your reservation system

Include where data is stored, transmitted, and processed. This map reveals your true CDE scope and often uncovers forgotten data repositories like email archives or backup systems.

Step 3: Identify Scope Reduction Opportunities

Every system touching cardholder data requires PCI controls. Reduce scope by:

  • Tokenizing stored card data for repeat charges
  • Redirecting to hosted payment pages instead of embedded forms
  • Implementing P2PE validated solutions for phone payments
  • Blocking email receipt of card data through gateway rules
  • Centralizing all card data in one secure system

Step 4: Implement Required Controls

Based on your SAQ type, implement required controls. For SAQ D (most common for tour operators):

  • Requirement 1: Configure firewalls between your payment systems and internet
  • Requirement 2: Change all default passwords on payment systems
  • Requirement 6: Keep booking and payment software patched
  • Requirement 8: Give each employee their own login to payment systems
  • Requirement 10: Log all access to cardholder data
  • Requirement 11: Run quarterly ASV scans on internet-facing systems

Step 5: Complete Your SAQ and Schedule ASV Scans

Your SAQ isn’t just a compliance exercise — it’s your security blueprint. Answer each question honestly. “Not Applicable” requires explanation. “Compensating Controls” need documentation.

Quarterly ASV scans are mandatory for all merchants. Your booking website, payment pages, and any internet-facing system in your CDE needs scanning every 90 days by an Approved Scanning Vendor.

Step 6: Submit Your AOC and Maintain Year-Round Compliance

After completing your SAQ and passing ASV scans, submit your Attestation of Compliance to your acquirer. But compliance isn’t annual — it’s daily. Implement processes for:

  • New employee training before payment system access
  • Quarterly review of who has access to payment systems
  • Regular checks that email isn’t receiving card data
  • Annual review of your payment flow and stored data

Timeline reality check: First-time compliance typically takes 3-6 months for tour operators. Budget $5,000-15,000 for technology changes (tokenization, P2PE terminals) and expect ongoing costs of $2,000-5,000 annually for ASV scans, security tools, and compliance management.

Scope Reduction for Tour Operators

Smart scope reduction can move you from SAQ D (290+ requirements) to SAQ A-EP (about 140 requirements) or even SAQ A (about 20 requirements).

P2PE for Phone Bookings

Replace your virtual terminal with a validated P2PE solution. Your staff uses a encrypted card reader connected to their computer. Card data never touches your systems — it’s encrypted at swipe and decrypted at the processor. This removes phone booking systems from PCI scope entirely.

Tokenization for Repeat Charges

Stop storing card numbers for final payments and modifications. Tokenization replaces sensitive card data with non-sensitive tokens. You can still charge cards later, but you’re storing tokens, not card numbers. Most modern payment gateways offer tokenization — you just need to implement it.

Hosted Payment Pages

Redirect customers to your payment gateway’s hosted page instead of embedding forms in your website. The customer never leaves your booking flow visually, but technically they’re entering card data on the processor’s PCI-compliant page. This can qualify you for SAQ A-EP instead of SAQ D.

The Math on Scope Reduction

Investing $10,000 in P2PE terminals and tokenization might seem expensive, but consider:

  • SAQ D requires quarterly penetration testing ($5,000-10,000/year)
  • SAQ D requires internal vulnerability scanning ($2,000-5,000/year)
  • SAQ D requires significantly more staff time for compliance activities
  • Data breach costs for tour operators average $150,000-300,000

Most tour operators find scope reduction pays for itself within 18 months through reduced compliance costs alone — not counting the reduced breach risk.

Best Practices From Compliant Tour Operators

Successful tour operators build PCI compliance into their operational flow rather than treating it as an IT project.

Payment Handling Procedures

Create written procedures for common scenarios:

  • Taking phone bookings: “Use only the P2PE terminal, never write down card numbers”
  • Handling email requests: “Reply asking customer to call or use the secure payment link”
  • Processing refunds: “Access tokenized data through the booking system, not stored emails”
  • Group bookings: “Collect authorization forms through secure upload, not email attachments”

Train all staff before they touch payments. Your river guide who occasionally processes bookings needs the same payment security training as your full-time reservations team. Build this into seasonal onboarding.

Technology Stack Optimization

Leading tour operators consolidate their technology:

  • Single booking platform that integrates payments (reduce integration points)
  • Cloud-based phone system with call recording controls (for dispute resolution without storing card data)
  • Document management system with encryption for storing authorization forms
  • Email filtering that automatically blocks messages containing card patterns

Vendor Management

Your booking software, payment gateway, and any system touching cardholder data needs annual vendor assessment. Ask for their AOC (Attestation of Compliance) or service provider agreement covering PCI responsibilities. If they can’t provide PCI documentation, they’re increasing your risk and scope.

Regular Compliance Activities

Build these into your operational calendar:

  • Monthly: Review who has payment system access
  • Quarterly: Complete ASV scans, review any stored cardholder data
  • Annually: Update SAQ, review all payment processes, conduct security training
  • Ongoing: Monitor for unauthorized card data in email and files

FAQ

Do I need PCI compliance if I only use PayPal or Square?

Yes, you still need PCI compliance even with third-party processors. If you’re redirecting completely to PayPal (customer enters everything on PayPal’s site), you might qualify for SAQ A. But if you’re using Square’s virtual terminal or storing any card data yourself, you’ll need SAQ C-VT or D.

Can I just have customers sign a credit card authorization form for deposits?

Authorization forms containing card numbers create significant PCI scope. Each form must be stored in a locked cabinet (Requirement 9), access must be logged (Requirement 10), and you’ll need physical security controls. Better approach: Use a secure upload portal and tokenization.

What if travel agents email me their clients’ credit card information?

Train partners to never email card data. Provide them secure alternatives: partner portal with tokenization, dedicated phone line with P2PE, or secure file upload. Configure your email to reject messages containing card patterns. Any received card data must be immediately deleted from all systems including backups.

How do I handle PCI compliance for our mobile guides taking payments in the field?

Mobile payment acceptance requires either validated P2PE mobile readers or PA-DSS validated payment applications. Consumer-grade mobile card readers might not meet PCI requirements. Ensure mobile devices use encryption, remote wipe capability, and access controls.

Do I need to be PCI compliant during the off-season when we’re not processing payments?

PCI compliance is required whenever you store, process, or transmit cardholder data. If you have stored card data from previous seasons, you must maintain compliance year-round. Even during quiet periods, you need current ASV scans and security controls.

What about sharing card data with hotels and suppliers for guest bookings?

Never share full card details with suppliers via email or standard forms. Options include: using virtual credit cards for supplier payments, tokenization services that mask data, or dedicated B2B payment platforms. Each supplier receiving card data must also be PCI compliant.

Conclusion

Tour operator PCI compliance seems daunting because your payment flows are complex — online bookings, phone reservations, partner channels, and the need to store data for future travel dates. But the path to compliance is clear: understand your current data flows, implement scope reduction through tokenization and P2PE, and build security into your daily operations rather than treating it as an annual checkbox.

Most tour operators can dramatically simplify their compliance by moving from storing card data everywhere (email, spreadsheets, booking notes) to a centralized, tokenized approach. The investment in proper payment infrastructure pays for itself through reduced compliance costs and eliminated breach risk.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You don’t need to figure this out alone. Start with the free SAQ Wizard or talk to our compliance team about building a program that fits your tour operation’s unique needs.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP