Security & Compliance for Travel Technology

AtlasPerk Research · May 2026 · 17 min read · 11 sources
Guide Technology
82% Hotels Hit by Cyberattack (Summer 2024)
$4.44M Global Average Breach Cost (2025)
44% Of Breaches Include Ransomware
91 GDPR Fines in Hospitality Sector
Sources: VikingCloud (2025) / IBM (2025) / Verizon DBIR (2025) / CMS.law (2026)

Market Verdict: Security & Compliance for Travel

Travel technology is under sustained attack. 82% of North American hotels experienced a cyberattack in summer 2024, with POS and payment systems the most-targeted entry point in 72% of cases (VikingCloud, 2025). PCI DSS 4.0 made all 51 future-dated requirements mandatory from March 2025, and GDPR enforcement in hospitality has generated 91 fines totalling €22.7M across 15 countries (CMS.law, 2026). Yet most travel operators still lack basic security controls: continuous monitoring, MFA on all cardholder data access, and vendor risk assessment are no longer optional. The gap between regulatory expectations and operator readiness is the defining risk of 2026.

Maturity assessment: Early-to-mid adoption. Regulatory requirements are now mandatory (PCI DSS 4.0, GDPR mature), but operator implementation lags significantly. Most SME operators lack dedicated security functions.

82%Hotels Hit by Cyberattack (2024)
64New PCI DSS 4.0 Requirements
€22.7MHospitality GDPR Fines

What Is Security & Compliance and Why It Matters for Travel Businesses

Security and compliance for travel technology covers three domains: payment security (PCI DSS), data protection regulation (GDPR, eIDAS 2.0), and infrastructure security (access control, vulnerability management, vendor risk). For tour operators and DMCs running booking engines, payment gateways, CRM systems, and channel managers, each integration in the tech stack is an attack surface. This is not a consumer data privacy guide. It is a B2B operational framework for the systems that process bookings, handle card payments, and store customer records.

The threat is specific and measurable. According to a VikingCloud survey of North American hotels, 82% experienced a successful cyberattack in summer 2024, and 58% were hit five or more times. This is vendor-sourced data with undisclosed sample methodology, but the direction is consistent with broader breach trends. POS and payment systems were the most-targeted systems in 72% of cases, followed by guest Wi-Fi (56%) and front desk systems (34%). Among attacked hotels, 44% experienced 12 or more hours of downtime.

Breach costs reinforce the operational stakes. The global average cost of a data breach reached $4.44M in 2025, with the US average at $10.22M, up 9% year-over-year (IBM via Cyberscoop, 2025). Hospitality was among sectors where breach costs rose year-over-year, bucking the global decline. The Otelier platform breach (July–October 2024) showed what a supply chain failure produces in travel: approximately 8TB of data stolen from AWS S3 storage, with 437,000+ email addresses exposed across Marriott, Hilton, Hyatt, and Wyndham (BleepingComputer, 2025). The attack vector (infostealer malware compromising Atlassian credentials, then pivoting to cloud storage) is a repeatable pattern: any SaaS-dependent travel business can be breached through a single compromised integration. For the broader technology context, see the parent Technology for Travel guide, and for payment-specific security, see Payment Processing for Travel.

Current State of Security in the Travel Industry

Breach Frequency and Cost

The Verizon Data Breach Investigations Report (DBIR) 2025 analysed over 22,000 incidents and 12,000 confirmed breaches. Stolen credentials appeared in 32% of all breaches and 88% of basic web application attacks. Ransomware was present in 44% of confirmed breaches. Third-party involvement doubled from 15% to 30% of all breaches year-over-year (Verizon DBIR, 2025). These are cross-industry figures; the DBIR does not publish a hospitality-specific breakdown. The attack patterns (credential theft, web app exploitation, supply chain compromise) match how travel operators use booking engines, channel managers, and payment portals.

Detection speed remains a weakness. The mean time to identify and contain a breach dropped to 241 days, a 9-year low, but most breaches still go undetected for over 8 months (IBM via Cyberscoop, 2025). Of confirmed breach causes, 51% were cyberattacks, 26% human error, and 23% IT failure. Nearly half of breaches stem from controllable internal factors.

Travel-Specific Attack Vectors

Travel sites face a severe bot problem. 44% of travel site traffic comes from bad bots, with 420,000+ AI-driven attacks per day targeting travel platforms in 2025 (Imperva, 2025). Approximately 70% of attacks on travel sites use business logic exploits (price scraping, inventory hoarding, fake bookings) rather than traditional vulnerability exploitation. These attacks do not trigger standard security alerts because they mimic legitimate user behaviour.

The vulnerability surface is large. A single Trustwave scan in April 2025 found 95,040 vulnerabilities across hospitality companies, including 3,884 unique CVEs, 14,318 critical-severity issues, and 1,521 vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalogue (Trustwave via RH-ISAC, 2025). 61.5% of initial access attempts exploit publicly exposed services. Trustwave also documented dark web travel agencies selling discounted packages through compromised booking platforms, an operation active since 2018.

Supply Chain Risk

SaaS supply chain attacks have risen an estimated 1,300% over three years (2022–2025), according to industry analysis (BusinessTechWeekly, 2025). This figure is directionally consistent with the Verizon DBIR’s finding that third-party involvement in breaches doubled year-over-year, though the magnitudes differ. The 1,300% growth figure likely reflects cumulative multi-year compounding rather than a single-year change. The direction is clear regardless of exact rate: every SaaS integration in your tech stack (booking engine, channel manager, payment gateway, CRM) is a potential breach vector.

The Otelier breach is the defining travel-industry case study. Infostealer malware compromised Atlassian credentials, which attackers used to pivot into AWS S3 cloud storage, extracting approximately 8TB of data including guest records from Marriott, Hilton, Hyatt, and Wyndham (BleepingComputer, 2025). One compromised vendor cascaded across the largest hotel brands in the world. Operators using booking engines and OTA channel managers from third-party providers face the same risk model.

Seasonality

Attack volume follows booking volume. The VikingCloud survey measured the 82% hotel attack rate during summer 2024, the peak operational period. Holiday booking surges (November through January) create a shoulder risk period when high transaction volume meets skeleton staffing. PCI DSS compliance is continuous, not seasonal, but security incidents cluster at moments of maximum operational load and minimum oversight capacity.

Key Strategies and Best Practices

The five-step security compliance stack below builds from payment security through emerging regulation. Each step applies to the specific systems that travel operators use: booking engines, channel managers, payment gateways, and CRM platforms.

1

Lock Down Payment Security (PCI DSS 4.0)

As of March 2025, all 51 future-dated requirements in PCI DSS 4.0 are mandatory, bringing the total to 64 new requirements in the standard (PCI SSC, 2025). Key changes: MFA is now required for all cardholder data environment (CDE) access, not just administrators, and continuous monitoring replaces point-in-time compliance. Industry estimates suggest approximately 80% of hotel bookings involve card-not-present transactions and 40% of B2B payments use virtual credit cards (Antravia, 2026, industry estimate without cited primary source). Non-compliance penalties can exceed $100,000 per month (Antravia). Action: audit your booking engine’s PCI SAQ level, implement MFA on every CDE-connected system, and move to continuous log monitoring. See Payment Processing for Travel for gateway selection that supports PCI DSS 4.0 compliance.

2

Implement GDPR-Compliant Data Handling

GDPR enforcement in hospitality has produced 91 fines across 15 countries, totalling approximately €22.7M (CMS.law GDPR Enforcement Tracker, 2026). Spain accounts for roughly 50% of sector fines (49 fines). The headline cases: Marriott received a €20.45M fine (UK DPA) for 339M guest records exposed. Booking.com was fined €475K (Dutch DPA) for late breach notification. Accor received €600K (French DPA). Two-thirds of hospitality GDPR fines involve video surveillance violations. For tour operators, the primary risk vectors are customer databases, email lists, and booking data retention. Action: map every system that stores personal data (CRM, booking engine, email platform, analytics). Set retention schedules. Implement a breach notification workflow; GDPR requires notification within 72 hours. See Analytics & Tracking for Travel for privacy-compliant tracking setup.

3

Assess and Monitor Vendor Risk

30% of breaches involved third parties in 2025, doubled from 15% the prior year (Verizon DBIR, 2025). SaaS supply chain attacks have risen an estimated 1,300% over three years (BusinessTechWeekly, 2025). The Otelier breach (detailed in the section above) showed how one compromised platform cascaded across Marriott, Hilton, Hyatt, and Wyndham. Action: every SaaS vendor in your tech stack carries breach exposure. Request SOC 2 Type II reports, check PCI compliance status, and verify data processing agreements. Prioritise: booking engine, payment gateway, channel manager, CRM. See Supplier Management Systems for vendor evaluation frameworks.

4

Defend Against Travel-Specific Bot Attacks

44% of travel site traffic comes from bad bots, with 420,000+ AI-driven attacks per day targeting travel platforms (Imperva, 2025). Approximately 70% of these attacks use business logic exploits (price scraping, inventory hoarding, fake bookings) that mimic legitimate user behaviour and bypass standard security tools. Action: implement bot management (rate limiting, CAPTCHA on booking forms, device fingerprinting). Monitor for anomalous booking patterns: sudden spikes in availability checks from single IP ranges, booking-then-cancellation loops, or pricing page scraping at scale. See Website Platform & CMS for Travel for platform-level security features.

5

Prepare for eIDAS 2.0 and Digital Identity

EU member states must offer digital identity wallets by end of 2026, with an implementation timeline running from Q1 2025 through Q4 2026 (Yousign, 2025). Very large online platforms and qualified trust service providers will be among the first required to accept wallets. Travel-specific use cases (identity verification at hotel check-in, boarding pass integration) are expected to emerge as adoption progresses, though specific pilot timelines remain unconfirmed. These are legislative targets; actual rollout may differ by member state. Action: if you handle identity verification (hotel check-in, tour bookings requiring passport data), begin gap analysis for wallet integration now. For operators not directly handling identity documents, monitor developments and plan for downstream effects on booking and check-in workflows.

Tools and Platforms

Security and compliance for travel is framework-driven rather than product-driven. The table below maps each compliance domain to its regulatory standard, travel-specific impact, and required operator actions.

Security & Compliance Framework for Travel Tech Stacks
Domain Key Requirement Standard Travel Impact Action for Operators
Payment Security Card data protection, MFA on CDE, continuous monitoring PCI DSS 4.0 (64 new requirements, March 2025) ~80% card-not-present transactions; penalties >$100K/month Audit SAQ level, implement MFA, move to continuous monitoring
Customer Data Consent, retention, breach notification (72h), DPIA GDPR (91 fines, €22.7M in hospitality) CRM, booking engine, email platforms all store personal data Map data flows, set retention schedules, test breach notification workflow
Payment Auth 3D Secure 2.x, SCA compliance PSD2/SCA (EU); 3DS2 market $1.61B (2025) Mandatory for EU card payments; reduces chargebacks Verify booking engine supports 3DS2; check gateway compliance
Digital Identity Wallet acceptance, identity verification eIDAS 2.0 (EU wallets by end 2026) Expected: hotel check-in, identity verification workflows Monitor developments; begin gap analysis if handling ID verification
Vendor / Supply Chain SOC 2, data processing agreements, access controls ISO 27001, SOC 2 Type II 30% of breaches involve third parties (Verizon DBIR) Request SOC 2 from every SaaS vendor; verify DPAs
Bot & Fraud Defense Rate limiting, CAPTCHA, device fingerprinting OWASP, Imperva 44% travel traffic = bad bots; 70% use business logic exploits Implement bot management on booking forms and pricing pages
Infrastructure Vulnerability scanning, patch management CISA KEV, CVE management 95,040 vulnerabilities found in hospitality (Trustwave 2025) Run quarterly vulnerability scans; prioritise KEV catalogue items

Sources: PCI SSC, CMS.law, Future Market Insights, Yousign, RH-ISAC/Trustwave, Imperva. Data as of May 2026.

B2B evaluation criteria for security tools: PCI compliance level (SAQ type), GDPR data processing agreement availability, SOC 2 Type II certification, API security documentation, incident response SLA, travel-vertical experience, and integration with booking engines and channel managers. When evaluating any new vendor, request documentation for all seven criteria before signing. See Payment Processing for Travel for payment gateway PCI compliance specifics and Booking Engine Selection for booking engine security features.

Common Mistakes and How to Avoid Them

Mistake 1: Treating PCI DSS as a Once-a-Year Checkbox

PCI DSS 4.0 requires continuous monitoring, not point-in-time assessments. All 51 future-dated requirements became mandatory in March 2025 (PCI SSC, 2025). Operators who only audit annually are non-compliant for 364 days of the year.

Fix: Implement continuous log monitoring and schedule quarterly internal scans. Review your SAQ type annually; it may change if you add or remove payment integrations. Consult a qualified security assessor for your specific situation.

Mistake 2: Assuming Your Payment Gateway Handles All PCI Responsibility

Payment gateways reduce PCI scope but do not eliminate it. If your booking engine captures card data, even temporarily, you have PCI obligations. Industry estimates suggest approximately 80% of hotel bookings are card-not-present transactions (Antravia, 2026), so you almost certainly handle card data in some form.

Fix: Determine your SAQ type. Review the shared responsibility model with your gateway provider. Understand where card data enters, transits, and is stored across your tech stack. See Payment Processing for Travel for gateway selection criteria that address PCI scope.

Mistake 3: Ignoring Vendor Security Posture

30% of breaches involved third parties (Verizon DBIR, 2025). The Otelier breach (infostealer malware to Atlassian credentials to AWS S3, 8TB stolen) is the reference case for SaaS supply chain attacks in travel. Most operators never request security documentation from their SaaS vendors.

Fix: Request SOC 2 Type II reports from booking engines, channel managers, CRMs, and payment platforms. No SOC 2 = red flag. Include security posture review at every vendor contract renewal.

Mistake 4: No Breach Notification Workflow

GDPR requires notification within 72 hours. Booking.com was fined €475K for late notification (CMS.law, 2026). Many operators have no documented incident response plan and discover the obligation only after a breach occurs.

Fix: Document a breach response workflow before you need one: who detects, who notifies, which authority, what timeline. Test the workflow annually. The 72-hour clock starts when you become aware of the breach, not when you confirm its scope.

Mistake 5: Not Accounting for Bot Traffic in Analytics

44% of travel site traffic is bad bots (Imperva, 2025). If you are not filtering bot traffic from your analytics, your conversion rates, session data, and attribution are all distorted. You are making business decisions on data that is nearly half bot-generated.

Fix: Implement bot filtering in your analytics platform and booking-form-level rate limiting. See Analytics & Tracking for Travel for privacy-compliant, bot-filtered tracking setup.

How Security & Compliance Connects to Your Growth Stack

Security and compliance touches every system in your travel technology stack. Every integration that handles customer data, processes payments, or connects to a third-party API carries a compliance obligation.

Booking Engine Selection: Your booking engine is the primary PCI scope determiner. SAQ type depends on how the engine handles card data: hosted payment pages, embedded forms, or server-side processing.

Website Platform & CMS: CMS platform determines SSL/TLS configuration, plugin vulnerability exposure, and bot defense capability. A CMS with outdated plugins is a publicly exposed service, the vector used in 61.5% of initial access attempts (Trustwave/RH-ISAC, 2025).

Payment Processing: Payment gateway PCI compliance, 3DS2 support, and the shared responsibility model directly determine your security posture. The 3DS2 market reached $1.61B in 2025 (Future Market Insights, 2025).

Analytics & Tracking: GDPR-compliant tracking setup, cookie consent, and bot traffic filtering are compliance requirements that directly affect analytics accuracy.

OTA Integration & Channel Management: Every API connection to an OTA is a potential attack surface. Channel manager data flows must be secured and access-controlled.

Distribution & Booking Channels: More distribution channels means more attack surfaces. PCI scope expands with every integration that touches card data.

Supplier Management Systems: Vendor risk assessment is a security function. Supplier data includes banking details, contracts, and personal information requiring GDPR compliance.

Customer Service Tools: Help desk systems store customer PII. Chatbot and AI agent systems must comply with GDPR data processing requirements.

Image Compression for Travel Sites (coming soon).

Cross-pillar: CRM & Automation for Travel. CRM systems store customer PII and are subject to GDPR data retention rules. Support ticket history, booking records, and marketing consent data all carry compliance obligations.

Start Your Free Custom Tech Discovery

A free diagnostic covering your security posture, compliance gaps, and tech stack vulnerabilities, specific to your travel business.

Start Your Free Custom Tech Discovery Book a Strategy Call
Stay Updated

Get security and compliance intelligence for travel operators delivered to your inbox.

No spam. Unsubscribe anytime. We use info@atlasperk.com for all communications.

Frequently Asked Questions

Three primary frameworks apply. PCI DSS 4.0 is mandatory for any business handling card payments. 64 new requirements took effect from March 2025, including mandatory MFA for all cardholder data environment access and continuous monitoring. GDPR applies to any business processing EU customer data; enforcement in hospitality has produced 91 fines totalling approximately €22.7M across 15 countries (CMS.law, 2026). eIDAS 2.0 requires EU member states to offer digital identity wallets by end of 2026; travel-specific identity verification use cases are expected to emerge as adoption progresses. National data protection laws also apply outside the EU.

PCI DSS 4.0 is the current Payment Card Industry Data Security Standard. As of March 2025, all 51 future-dated requirements are mandatory, bringing the total to 64 new requirements in v4.0 (PCI SSC, 2025). Key changes: MFA is required for all cardholder data environment access (not just admins), continuous monitoring replaces point-in-time compliance, and enhanced requirements apply to card-not-present transactions, which represent approximately 80% of hotel bookings (Antravia, 2026, industry estimate). Consult a qualified security assessor to determine your specific SAQ type and obligations.

Map every system storing personal data: booking engine, CRM, email platform, analytics, and any channel manager that passes customer records. Set data retention schedules for each system. Implement lawful basis for processing: typically legitimate interest or contract performance for booking data, consent for marketing communications. Prepare a breach notification workflow; GDPR requires notification within 72 hours. Booking.com was fined €475K for late notification (CMS.law, 2026). Test your notification workflow annually. For analytics-specific GDPR compliance, see Analytics & Tracking for Travel.

The primary threats are: credential theft (32% of breaches, Verizon DBIR 2025), ransomware (present in 44% of breaches), bad bots (44% of travel site traffic, Imperva, 2025), business logic exploits (~70% of travel-site attacks), and supply chain compromise (30% of breaches involved third parties). POS and payment systems are the most-targeted: 72% of attacked hotels had payment systems compromised (VikingCloud, 2025). MGM Resorts lost over $100M to a Scattered Spider ransomware attack in 2023. The Otelier breach exposed 8TB of data across major hotel chains through a single vendor compromise.

You likely do not need your own SOC 2 certification; that applies to SaaS vendors and service providers. But you should request SOC 2 Type II reports from every SaaS platform in your tech stack: booking engine, channel manager, CRM, payment gateway, and any analytics tools that process customer data. If a vendor cannot provide SOC 2 documentation, treat it as a red flag. With 30% of breaches now involving third-party vendors (Verizon DBIR, 2025), vendor security posture is your security posture.

eIDAS 2.0 is the EU regulation requiring member states to offer digital identity wallets by end of 2026, with very large online platforms and qualified trust service providers among the first required to accept them (Yousign, 2025). The implementation timeline runs from Q1 2025 through Q4 2026. Travel-specific identity verification use cases (hotel check-in, passport-data workflows) are expected to emerge as wallet adoption progresses. If you handle identity verification, begin gap analysis now. Timelines are legislative targets and actual rollout may differ by member state. For operators not directly handling identity documents, the downstream effects on booking and check-in workflows will emerge as adoption progresses.

Continuous monitoring is the standard under PCI DSS 4.0. Annual point-in-time audits alone are no longer sufficient. At minimum: quarterly vulnerability scans (a single Trustwave scan found 95,040 vulnerabilities across hospitality companies in April 2025, per RH-ISAC/Trustwave, 2025), annual penetration testing, vendor security review at every contract renewal, and immediate review after any breach notification from a SaaS provider. Summer (June through August) and holiday booking surges (November through January) are peak attack periods. Schedule scans before, not during, those windows.

Data Sources & Methodology

This analysis draws on data from 13 independent sources including IBM’s Cost of a Data Breach Report (2025, via Cyberscoop), the Verizon Data Breach Investigations Report 2025, VikingCloud’s North American hotel cybersecurity survey, the Trustwave 2025 Hospitality Risk Radar (via RH-ISAC), Imperva’s tourism cybersecurity analysis, the PCI Security Standards Council’s implementation guidance, the CMS.law GDPR Enforcement Tracker (2026 edition, hospitality vertical), and Antravia’s PCI DSS 4.0 compliance playbook. VikingCloud data is vendor-sourced with undisclosed survey methodology. Antravia’s card-not-present and VCC percentage figures lack primary source attribution and are treated as industry estimates. Bot-blocked sources were verified in browser. All statistics are cited inline with source attribution. Market data reflects conditions as of May 2026.

  • VikingCloud – hotel cyberattack survey (82%, 58%, 44% downtime, 72% POS)
  • IBM via Cyberscoop – Cost of a Data Breach ($4.44M global, $10.22M US, 241 days, 51%/26%/23%)
  • Verizon DBIR 2025 – breach analysis (22,000+ incidents, 32% credentials, 44% ransomware, 30% third-party)
  • BleepingComputer – Otelier breach (8TB, 437K emails)
  • Trustwave via RH-ISAC – Hospitality Risk Radar (95,040 vulnerabilities, 61.5%, dark web agencies)
  • Imperva – tourism cybersecurity (44% bots, 420K attacks/day, 70% business logic)
  • PCI SSC – PCI DSS 4.0 (51 future-dated, 64 total, MFA, continuous monitoring)
  • Antravia – PCI DSS 4.0 playbook (~80% CNP, 40% VCC, >$100K/month penalties)
  • CMS.law – GDPR Enforcement Tracker (91 fines, €22.7M, Marriott/Booking.com/Accor)
  • Yousign – eIDAS 2.0 (wallets end 2026, Q1 2025–Q4 2026 timeline, acceptance requirements)
  • Future Market Insights – 3DS2 market ($1.61B, 12.2% CAGR)
  • BusinessTechWeekly – SaaS supply chain (1,300% increase) [manual verification required]
  • DLA Piper – GDPR fines survey (€5.88B total, 363 notifications/day) [manual verification required]
This article was produced with AI assistance and verified by the AtlasPerk research team. Read our methodology →

More from the Technology for Travel Guide

Related Intelligence