Merchant of Record in Travel: OTA's Guide to Owning the Payment Flow

In this article, we break down everything you need to know to operate as a merchant of record in travel, including payment flows, challenges to address, how to choose the right payment service provider,  and more. If you’re considering the MoR route, this is your blueprint.

What is MoR?

A merchant of record (MoR) is a party to online sales officially authorized by financial institutions to accept and process electronic payments. It is also responsible for issuing receipts, paying suppliers, and handling all related legal obligations.

If a company earns money as an MoR, it is said to operate under the merchant model. This business approach appeared when credit card payments became commercially mainstream and is common in various industries, including both retail and wholesale. Today, besides credit/debit card payments, MoR can handle many other payment methods, such as digital wallets, instant bank transfers, etc. We’ll discuss them later.

Initially, many eCommerce platforms acted as search engines. They connected buyers and sellers and then stepped aside while the supplier handled payment, delivery, and customer service. The platforms earned a commission from the supplier for helping distribute goods. For example, Amazon originally sold only books, leaving it up to publishers to accept payments. This business approach, called the agency model, allowed platforms to avoid the complexity of handling payments directly.

However, the greater your sales volume and the more suppliers depend on your platform, the more reasons you have to manage money yourself. Nowadays, Amazon Marketplace, Etsy, eBay, App Store, Google Cloud Marketplace, and other eCommerce giants act as MoR.

Now, let’s look at how events unfolded in the travel industry.

Agency vs merchant model in travel 

In the early days of online travel, the agency model was the default for most travel resellers, including online travel agencies (OTAs), destination management companies (DMCs), tour operators, and travel management companies (TMCs).

Large OTAs like Booking.com, Agoda, MakeMyTrip, and Trip.com built their businesses by connecting travelers with hotels, vacation rentals, and tours, but without handling payments themselves. Travelers would book on the OTA platform but pay the supplier directly, typically at check-in or checkout. After the stay is completed, the OTA receives a pre-negotiated commission from the supplier.

This model still dominates in many regions, particularly Europe and Asia. But not all OTAs followed this path.

Back in the late 1990s, Hotels.com (now part of Expedia Group) began experimenting with a different approach: the merchant model. Founders David Litman and Robert Diener took a bold step, convincing hotels to let the OTA collect payments upfront from travelers. This setup gave resellers more control over pricing and margins, and it worked. Over time, it became central to Expedia’s strategy, helping the company become a dominant player in the U.S. travel market.

For many years, most OTAs were in no rush to follow Expedia's example and move away from the familiar agency model, but that’s starting to change. For example, Booking.com introduced a merchant model alongside its agency operations in 2015 via its Payments by Booking tool, and now makes about 50 percent of its revenues as MoR. Let’s explore how the merchant model works.

How the MoR model works in travel

Under the merchant model, an OTA negotiates net rates with suppliers and adds markups, setting final prices. It also takes over the entire payment flow: collecting funds from the customer (pay-in), enforcing fraud prevention measures, paying to suppliers (payout), and handling refunds and chargebacks, if there are any.

The ability to charge the customer directly, without waiting for commissions to be paid, improves the agency’s cash flow. However, even more important is that OTAs have  a lot of flexibility in how to sell the products and how to organize the payment process  — to meet both business and customer needs.  

Let’s say a traveler from Berlin is planning a holiday in Thailand. She finds a deal on a UK-based online travel agency that offers a bundled package: a round-trip flight to Bangkok and five nights at a beach resort in Phuket. She sees a price in euros, which already includes taxes, fees, and a discount for booking the package together.

Behind the scenes, the OTA sourced net fares from both the airline and the hotel. It builds the final price by applying a markup to both components, making the bundle attractive but still profitable. The traveler pays using a German credit card, and the OTA, as the merchant, collects the full amount in euros.

Then comes the complex part the customer never sees:

• The OTA settles the flight payment via the IATA’s Billing and Settlement Plan (BSP) in British pounds.
  
• The payout for the accommodation is held until check-in, and then the OTA lets the resort charge a virtual credit card in Thai baht.

Running a multi-currency, multi-leg setup takes time and effort for an OTA. But for the traveler, it’s a single smooth transaction, with only the agency’s name showing up on their bill. And that’s where the merchant model brings another big advantage: it puts you in direct contact with your customer. If you do everything right, you get a loyal client.

The flip side of that coin is that you need to :

• invest in payment integrations;
• meet high security requirements; and
• balance pay-ins and payouts, and handle other financial responsibilities (taxes, chargebacks, refunds, etc.).

So you have some important decisions to make, and we will help you.

TL;DR: Key things to know about becoming a MoR in travel

Here’s what you’re signing up for—in short form—before we go deep into details.

You need a merchant account. You’ll have to open a dedicated merchant account with an acquiring bank or a payment service provider. This is where card and other electronic payments land first and get verified, before being transferred to your business account.

You integrate with a payment gateway. This software connects you to a merchant account and payment networks. Some acquring banks and all payment service providers have it as part of their offering.

You must comply with the Payment Card Industry Data Security Standard (PCI DSS). Since you not just pass card information to suppliers as under the agency model but also accept payments, you must meet higher data security criteria. 

You also handle supplier payouts. Whether through IATA BSP, Airline Reporting Corporation (ARC), virtual cards, or bank transfers, you must pay airlines, hotels and other service providers—on time and in the correct currency.

Now, that you know the base, ready to go full stack? In the next sections, we’ll break down exactly how to become MoR and what decisions to make, step by step.

Pay-in stage: All you need to accept payments

This section covers everything required to successfully collect payments from customers—from setting a merchant account to regulatory compliance.

Opening a merchant account

The first—and most fundamental—step is opening a merchant account that works 24/7 and allows you to process electronic payments under your business name. You can do this in one of two ways: either with an acquiring bank or through a Payment Service Provider (PSP) that offers merchant services bundled with other payment tools.

Large, well-funded travel platforms typically go directly to banks like Barclays or JPMorgan Chase to set up a dedicated merchant account. But this route isn’t easy for smaller or newer players. Banks tend to be cautious about the travel industry, which they see as high-risk due to frequent chargebacks, potential fraud, and exposure to unpredictable events like pandemics or natural disasters.

To get endorsed, you’ll need to prove your financial stability and explain your business model in detail. Even then, banks often require a reserve—essentially holding back part of your funds—to cover possible cancellations or disputes.

That’s why many small-to mid-sized travel companies turn to payment service providers (PSPs) such as Stripe, PayPal, Adyen, or Square. They act as intermediaries, aggregating transactions from multiple businesses on a single merchant account. The PSP bears all financial responsibilities to an acquiring bank, so the onboarding process in this case is faster and far less demanding.

However, this convenience comes with its own risks. PSPs may freeze or terminate your account with little warning if they flag suspicious activity or your transaction volume dips below their thresholds. Well-established OTAs can negotiate to secure better terms, but overall, travel merchants face higher fees and stricter conditions than most other industries.

Both banks and PSPs typically hold rolling reserves—a percentage of your daily transactions (e.g., 5–10 percent) in a reserve account, typically for 90–180 days, to cover potential chargebacks or fraud. Besides, most delay payouts (e.g., 7–14 days). Clarify this upfront.

Once you have a merchant account, the technical part is integrating the payment gateway’s API into your checkout and booking flows.

Integrating a payment gateway

A payment gateway is a service that authorizes and processes payments for online and offline stores. It simplifies transactions between buyers and sellers, using security protocols and encryption to ensure safe data transmission. It facilitates the transfer of transaction data from websites/apps/mobile devices to payment systems/banks and vice versa.

If you open an account with a PSP, a gateway is included in the service by default.

If you partner with a bank, it might provide its own gateway. Others team up with third-party vendors, which are, again, Stripe, Authorize.net, and other PSPs. Here are some things you should watch while selecting a payment gateway provider.

Understand pricing structure. Some PSPs charge a flat fee per transaction, while others take a percentage of the transaction value. Many use a hybrid approach: a fixed fee plus a percentage. In some cases, there’s a minimum charge per transaction, regardless of the sale amount. Also, ask about cross-border fees, refund fees, chargeback fees, and hidden compliance charges.

Look for global coverage with strong local capabilities. Ensure your PSP can process payments in all your target markets—including local cards, wallets, and account-to-account transfers. E.g., if you serve Latin America, look for PSPs that support exotic methods such as Boleto and OXXO and partner with local banks.

Check out the API documentation and developer tools. “Public availability typically means that the payment system is stable and easy to integrate with,” Ivan Mosiev,  a solution architect engaged in many travel projects at AltexSoft, explains. “Private access, on the contrary, may signal the poor quality of API documentation, which will result in a painful and time-consuming implementation process.”

Evaluate fraud and chargeback management tools. As MoR, you take on financial risk. Your PSP should provide real-time fraud detection, risk scoring, and 3D Secure support.

Consider payout capabilities. Large PSPs like Stripe, Adyen, and Checkout.com, also offer payouts to suppliers (e.g., hotels, affiliates). It’s convenient to operate all payments on one platform.

To better understand how these services work, read our articles on payment gateway integration and online payment processing.

Choosing payment methods

Large payment gateways typically come pre-integrated with a wide range of payment methods:

• credit/debit сards,
• digital wallets (PayPal, Apple Pay, Google Pay, and more);
• "buy now, pay later" (BNPL) – a method that lets customers pay for purchased goods in interest-free installments or at a later date, offered through providers like Klarna, Afterpay, or Affirm;
• cryptocurrencies (less common, but some gateways support them); and
• local payment methods – options widely used and preferred within a specific region or country (account-to-account payments like iDEAL or Blik, vouchers like Boleto Bancário, and more).

On one hand, offering a wide range of payment methods makes things easier for your customers. On the other, each method comes with separate integration fees. So instead of adding everything at once, prioritize based on where you operate and who your customers are. For example, if you serve travelers in Africa, you’ll likely need mobile money options like M-Pesa. In Europe, local bank transfers like iDEAL or Sofort (Germany) might be essential.

It may be a good idea to test different methods to understand which ones will be popular among your customers and weigh the price-value ratio.

“In technology, we would always recommend A/B testing, and payment methods are no different,  comments James. Within Stripe, we've made it really easy, having launched A/B testing for payments in the dashboard. It means customers can actually measure the impact if they put a set portion of the traffic through a local payment type for a period of time, versus their normal flow as a control group. Do you see a boost in conversion? Do you see a boost in basket size? Do you see certain behaviors from certain countries? We would always recommend being broad in your optionality, but take a data-based approach and measure the impact.”

Achieving PCI DSS compliance

If you deal with card payments, you are officially on the hook for cardholder data security. That’s where PCI DSS—Payment Card Industry Data Security Standard—enters the picture. These are global security standards defined by the major card schemes (Visa, Mastercard, AmEx, etc.) to protect sensitive payment data from breaches and fraud.

The level of PCI compliance you need depends on your transaction volume. There are four levels (less than $20,000 to more than $6 million). If you are at the lower 2-4 levels, you must fill out SAQs (Self-Assessment Questionnaires), which you can download from the PCI Security Standards Council official site, and submit to your bank/PSS. Check with them about which SAQ version you need.

A Level 1 Merchant (over 6 million annual transactions) must undergo an audit with an external, certified firm that produces a Report on Compliance (RoC). If vulnerabilities are detected, you must fix them, which might involve implementing new software or policies.

Since PSPs handle the transactions, the heavy lifting on the financial security side falls to them. Your job is to collect the customer’s payment info, pass it to the gateway, and make sure nothing gets lost in transit. The payment platform has your back here, too: it offers a ready-made PCI-compliant payment form that you can integrate into your website to capture card details safely. Sensitive data is replaced with encrypted tokens (it’s called tokenization).  

That said, PCI DSS compliance is not a one-time checkbox, especially if you store financial data on your servers, which is nearly impossible to avoid altogether. Your internal IT team’s ongoing security work is essential—things like encryption, firewalls, regular vulnerability scans, access controls, and having a solid incident response plan in place. Take all the procedures seriously. In case of a breach or non-compliance, you could face massive fines and even lose the right to process payments. Remediation costs can vary from a few thousand dollars to $500,000, depending on how severe the issue is and how many customers are impacted.

Watch our video on PCI DSS compliance to understand why it’s important for travel agencies.

Payout: What it takes to pay the supplier

Once you’re prepared to collect customer money, your next task is to take care of timely payouts to suppliers: airlines, hotels, car rentals, transfer providers, tour operators, etc.

One of the main challenges MoR faces is the delay in accessing pay-in funds. The settlement for card payments involves fraud checks, reconciliation, regulatory reviews, and other operations that take days or even weeks if credit risks are involved.  Only after the verification does the money land in the business account, where it becomes available for the merchant. That’s why the agency needs surplus cash reserves or a credit line to pay suppliers on time while waiting for the pay-in to be unblocked.

Now let's take a look at the technical aspects of payout. We'll focus on airlines and hotels in detail, but keep in mind that any other supplier needs a separate payment flow that must be agreed upon, tracked, and settled on time.

Paying airlines

If you want to sell flights, you’ll need approval from one of two key aviation regulators: IATA, which operates globally, or ARC, which governs air sales in the US. Accreditation from either signals to airlines that you’re a trusted partner and allows you to do ticketing on their behalf. Non-IATA/ARC agencies can partner with an airline consolidator or host travel agency and buy air tickets through them.

The payment flow varies depending on whether you work with the airline via GDS or directly.

If you book via GDS. Most travel sellers book airline tickets through Global Distribution Systems (GDS) like Amadeus, Sabre, or Travelport. If that’s your setup, payments flow through IATA BSP or ARC for the US. They are centralized financial platforms, used by over 400 carriers to manage payments between airlines and travel agencies.

Here’s how the most common payment flow  — via BSP/ARC Cash  —  unfolds.

1. The traveler starts the booking process through a travel agent.
2. The agency charges the traveler’s credit card.
3. The agency sends a ticket request to the GDS.
4. The GDS pulls the necessary ticketing info from the airline.
5. The GDS sends it back to the agent.
6. The agency issues the ticket to the traveler.
7. The BSP/ARC compiles a consolidated billing report—usually once a week, covering all the agency’s ticket sales during that period. Based on that report, the agent makes a single electronic transfer to the IATA clearing bank.
8. The BSP/ARC processes payments from all agents and instructs the clearing bank to distribute the funds to the relevant airlines. Typically, airlines receive the money 2 to 4 weeks after the ticket is issued.

The only available payment method for BSP is electronic transfer.

Another option is IATA EasyPay, a pay-as-you-go method using a prepaid account that is based on e-wallet infrastructure provided by Deutsche Bank and Mastercard. With IATA EasyPay, money are charged from your account immediately upon booking. This reduces airlines’ risks (the payment is guaranteed) and lets smaller agencies avoid full IATA accreditation requirements.

If you work with airlines directly. Some OTAs and corporate travel platforms сonnect with airlines either through flight aggregators or by partnering with the airlines directly. If you go through an aggregator, your options will depend on the methods they support. If you work with an airline one-on-one, it all comes down to what you can negotiate. Either way, the list may include:

• virtual credit cards (VCCs),
• corporate credit cards,
• B2B wallets, and
• bank transfer.

Note that airlines are not very keen on accepting virtual cards because transactions are more expensive than using a regular consumer or corporate card, not to mention BSP/ARC cash.  

Paying hotels

Unlike air travel, where payment and settlement are centralized, the hotel space is highly fragmented. There’s no single standard or unified system—each property has its own expectations and requirements. Some request payment at check-in, others agree to get paid after the guest has checked out. Payment flows and preferred methods  vary depending on whether you work with chains, single properties, or bedbanks, as well as on the hotels location. 

When booking through bedbanks, like Hotelbeds, Webbeds, or DidaTravel, payment is usually done via a monthly invoice and bank transfer. Some offer prepaid models (you fund a wallet or pay per booking) or accept virtual cards.

When working directly with hotels, many OTA and TMCs use VCCs. They have several advantages: VCCs can be  generated for one transaction (eliminating reuse fraud), with a limited amount, and in the supplier’s local currency. According to a joint study by Worldline and Phocuswright, nine out of ten corporate travel planners believe virtual cards are on track to become the primary method for booking business trips.

Besides VCCs, OTAs may use traditional bank transfers. Some agencies maintain local subsidiaries with bank accounts to pay local suppliers faster.

One Last Word: Think Before You Leap

Is switching from the agency model to merchant of record worth It? The short answer: not always, and certainly not for every travel business.

“The merchant model is not necessarily a model any agency would flip to. The advantage is here, but it comes with due diligence and assessment in terms of the operating model, resources, and cost implications to be able to branch into a merchant of record model fully,” says Sandra Mianda, a payment strategist and a founder of the payments consultancy, Paypr.work. 

It might be better to stick with the agency model if you’re just starting out or testing markets, your margins are slim, cash flow is tight, and you lack internal resources to manage PCI compliance. Choose the merchant model if you can afford the financial float and risk, and are thrilled to step to the next level.