Expedia Group is committed to the secure handling and transfer of traveler payment card information. We fully comply with PCI standards and also require that connectivity providers who partner with us comply with industry standards before we share any payment card information with their systems. In this post, we answer a few common questions to help demystify PCI compliance, and help you understand how industry regulations may impact your connection to Expedia Group. For more information, please contact your Expedia Group account manager.
What is PCI compliance?
The Payment Card Industry Data Security Standard (PCI DSS) council was established in 2006 by five major credit card brands. The council established a set of 12 specific requirements to meet six different goals, including building and maintaining a secure network, implementing strong access control measures, and protecting cardholder data. All companies that accept credit card payment information must be PCI compliant.
What is an AOC?
The Attestation of Compliance (AOC) is defined by the council as:
A form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance.
In other words, the AOC is proof that you comply with industry standards. Expedia Group must have a copy of a current and valid AOC on file for every connectivity system provider.
How is that different from TLS?
Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between systems. All systems that transfer payment card information must upgrade their TLS protocol to version 1.2 by the industry deadline of June 30th, 2018.
What happens if I can’t confirm my compliance with industry standards?
System providers must meet the following security requirements to receive payment card information from Expedia Group:
- Have a current and valid AOC on file with Expedia Group
- Be successfully migrated to TLS 1.2 (as of June 30th, 2018)
Failure to meet either of these requirements will result in Expedia Group blocking all payment card information from being shared with the system provider service. This means that all reservations shared between Expedia Group and the system provider will not include payment information.
The security of our customers and their data is a key priority for us and something we take seriously. Expedia Group is committed to working with each of our connectivity providers to ensure the systems we use to share information are safe and secure. If you have questions about your connection or about the type of information that Expedia Group is sharing, or not sharing, with your system – please contact your dedicated account manager.