Credit Card Authorization Forms for Travel Advisors

Overview

A credit card authorization form is a written, signed permission from the cardholder allowing your agency to charge their credit card for a specific travel booking or service. Suppliers require one for nearly every booking where you run the card on the client's behalf.

Getting this wrong creates three problems at once: the supplier refuses the booking, the cardholder can chargeback with no defense, and your agency inherits PCI-DSS exposure. Getting it right is a one-time setup.

Why You Need One

Every credit card transaction has three parties: cardholder, merchant (the supplier or your agency), and card network. Whenever you charge a card that is not in your physical possession, the merchant assumes more risk. To transfer that risk back to the cardholder, you need documented proof the cardholder authorized the charge.

Without it:

• Suppliers can refuse the booking. Most require a signed CC auth before they process.
• Chargebacks succeed. The cardholder disputes the charge; with no signed form, the card network sides with them by default.
• Your E&O insurer may deny a claim. Many E&O policies exclude chargebacks where no proper authorization was collected.

What a Proper CC Authorization Includes

The following are non-negotiable:

1. Cardholder's full legal name as it appears on the card
2. Billing address matching the address on file with the card
3. Card type (Visa, Mastercard, Amex, Discover)
4. Card number (full 15–16 digits)
5. Expiration date
6. CVV / security code
7. Authorization statement — a clear sentence explaining what the cardholder is authorizing, naming the supplier(s) and approximate amount
8. Signature and date — ink-on-paper, typed, or drawn electronically

Optional but recommended:

• Phone number for verification
• Email for receipt
• Specific itinerary dates or booking reference
• Statement that the card will only be charged for authorized amounts

What Not to Do

These mistakes happen every week in advisor communities:

Do not accept card details by email or text

PCI-DSS explicitly prohibits transmitting full card numbers and CVVs in unencrypted email or SMS. If a client sends you their card in a text, you have two options: delete it and ask them to use your secure form, or accept that you are now on the hook for PCI compliance across your entire email system.

Do not store card details in a spreadsheet or Google Doc

Same problem. If your laptop is stolen or your Google account is phished, every card in that file is compromised. Use a form that handles storage and retrieval properly.

Do not use a generic DocuSign or Google Form

Generic form tools are not built for card data and do not handle it in a PCI-appropriate way. Use a tool built for this purpose.

Do not reuse one authorization for multiple bookings

Each booking needs its own authorization unless the original form explicitly grants authority for multiple specific charges. "One blanket authorization for the whole trip" is fine if the form says so; "one authorization for everything forever" is not.

Using the Plan Harmony Template

Plan Harmony includes a Credit Card Authorization form template. To use it:

1. Go to Forms and click New from Template
2. Choose Credit Card Authorization
3. The template arrives pre-built with:
   • Billing address fields (street, city, state, zip, country)
   • Card type selector (Visa, Mastercard, Amex, Discover)
   • Card number, expiration, CVV
   • Authorization consent text with your agency name inserted
   • Signature field with audit trail
4. Review the consent text and add specifics for your agency (for example, "amounts will not exceed $X without a new authorization")
5. Set status to Active and copy the share link

Sharing the form

Email or text the link directly to the client. They open it in any browser, complete it, sign, and submit. You receive the full response, including card details and signature audit trail. Link the response to the client's record for a complete paper trail.

Using the authorized details

Open the response to view card details. Enter them into the supplier's booking system exactly as the supplier requires (fax form, portal, phone booking with auth form on file, etc.). Keep the signed form archived with the booking records.

The Signature Audit Trail

Every Plan Harmony signature includes:

• Signer name and email as entered
• IP address of the signing device
• Timestamp (to the second)
• SHA-256 hash of the form content at the moment of signing

This audit trail is your defense if the cardholder later claims they did not authorize the charge. It is also what makes an electronic signature legally equivalent to a wet-ink signature under the ESIGN Act and UETA.

Retention and Records

Keep the signed authorization at least until:

• The trip has been completed
• The commission has been paid
• The chargeback window has closed (up to 180 days for Visa/Mastercard after the charge date)

Longer retention is smart for E&O protection — some advisors keep all authorizations for seven years matching IRS records retention. Plan Harmony retains form responses indefinitely, linked to the client record.

The One-Time Setup

Spend 20 minutes today:

1. Build the CC Auth form from the template
2. Save the share link to your CRM template library
3. Add a step to your booking workflow: "Send CC Auth form before calling supplier"
4. Never email about card details again

This is one of those setups that saves you a chargeback disaster you will never notice, because it never happens.