Originally Posted by
RickNRoll
Are they PCI Compliant?
Probably not. Yet, they probably have a certificate from one of the big 5 consulting firms saying that they are.
Most airlines do dumb stuff that directly contradict some of the PCI-DSS requirements, but due to how audits are generally focused on ticking boxes on checklists they can continue including 3rd party trackers, chatbots, and key loggers on their payment pages.
I did a short writeup on this a few months ago, you will find it here:
https://huagati.********.com/2018/05...-to-do-on.html
(replace asteriskes with b_l_o_g_s_p_o_t without underscore... for some reason the forum software keeps censoring that URL)
It includes examples from a bunch of other airlines, but BA was not included in my list back then. However, earlier in this thread I posted a fresh example from BA's website as of yesterday:
BA hacked but they're 'deeply sorry'