PCI compliance is mandatory for airlines, extending to all system components included in or connected to the cardholder data environment. For airlines, this extends from the point of acceptance to any customer service application holding or using cardholder data. It is the card data acquirer’s responsibility to impose compliance on its airline merchants. The airline is therefore responsible for the security of each of its distribution channels, whether the system elements are internal or external.