Adjusting for Compliance

Security survey indicates encouraging level of IT spending among world’s airlines.

SITA, service provider of information technology solutions for the air transport industry, launched its third annual airline IT security survey in March. Among key highlights: improvement in best practices and online payment compliance are in the forefront of carrier IT security priorities.

The SITA global IT security survey is an effort to show how airlines are dealing with security management information as compared with years past. The survey was first issued in 2006, and is composed by Loudhouse, a research consultancy based in the U.K. that conducts and supports research in all market sectors worldwide. In December 2008 (at the height of the stock market fall), Loudhouse interviewed more than 180 direct level airline security professionals from around the globe.

Mark Prince, head of consulting for security, voice, and convergence at SITA and executive sponsor of the survey, relates that airline IT security entails the end to end security of an electronic transmission (including the network a company runs on), or part of a company’s “digital highway,” and any type of equipment connected to that highway. The IT security function finds gains in key areas of strategy that should yield positive performances in operational areas, according to the survey executive summary released by SITA.

The security of an airline company’s digital data concerns airports because the infrastructure behind an airline’s information technology is becoming ever-increasingly shared by airport IT infrastructure. “A carrier is not just an airline while in the sky,” says Prince, “they are an airline on the ground as well; and the connection is through the airport hub itself.”

Online payments
This year’s survey identified a notable level of importance assigned to data compliance as an issue for IT security professionals. This is due to key compliance initiatives and deadlines set by major credit card providers, such as Visa.

What’s effectively happened, says Prince, is the payment card industry has recognized that when an airline hemorrhage’s customer data in whatever form (names or tracking data), there is a minimum cost for the card companies to set that data right. “The industry basically said to everybody, including the airlines, if a company wants to be a merchant (transact financially via a credit card), it must meet certain standards.

“If the standards are met, the card providers will effectively indemnify the company against loss of data.

“When airports lease those services dealing with credit card transactions for the airlines, then it becomes the airport’s responsibility to be compliant,” he says.

The leased services provided to airlines by some airports include common-use kiosks, which contain software that must be compliant within the security standard.

For example, says Prince, “If a machine is a self-service check-in kiosk, and I pay for a flight with my credit card, the machine uses that card to identify me when I arrive at the airport to check in; and that machine must be compliant.

The survey shows that among respondents responsible for compliance, both industry (73 percent) and customer information compliance (68 percent) are considered important to the business.

The survey found that 42 percent of respondents overall stated that they had input into IT compliance for their companies. “The level of importance given to compliance by these airline IT security professionals is encouraging, but more can be done,” says Prince.

“Key compliance initiatives such as PCI DSS and ISO27001 are both relevant and time-sensitive. The major payment brands have all issued compliance deadlines for PCI DSS regarding data storage and validation procedures.

“Visa, for example, has set these at September 2009 and 2010 respectively, dates to which the global airline industry must pay attention,” he says.

This content continues onto the next page...

We Recommend