Adjusting for Compliance

Security survey indicates encouraging level of IT spending among world’s airlines.


PCI DSS stands for Payment Card Industry Data Security Standard, and was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking, and various other security vulnerabilities and threats.

According to SITA, a company processing, storing, or transmitting payment card data must be PCI DSS compliant. Non-compliant companies who maintain a relationship with one or more of the card brands risk losing their ability to process credit card payments and being audited.

According to the Airline Online Fraud Report, commissioned by CyberSource in association with Airline Information LLC, airlines worldwide lost over $1.4 billion to online fraud in 2008, about 1.3 percent of worldwide airlines’ online revenue. The IT security survey found that just 34 percent of respondents said online payment compliance was “very important.”

Compliance barriers
Challenges to becoming compliant with new card security standards include insufficient resources (54 percent), insufficient budget (49 percent), and a lack of knowledge around compliance (47 percent). Planning, skills, and a lack of internal communication and project management also play into compliance issues, according to the survey.

“Some airlines are in the planning phase,” says Prince, “and some are in the pre-planning phase.

“The problem with the survey, which is intentional, is that I don’t get to know who has been surveyed; so unfortunately I don’t see the magnitude.

“The survey is not meant to be a sales tool for me or my consulting teams, but we can help airlines with some of the incremental bits and pieces of the survey. For example, with PCI DSS, we can help them accelerate their compliance program if necessary.”

Prince says that some airlines use the survey for trend analysis; and some of them metric themselves against the survey results, to see where they are in relation to the rest of the industry.

Additional Highlights
The survey also shows a significant improvement in best practices in the areas of policy processes, quality of tracking, and level of security governance among airlines.

Prince relates that when the survey began, because of the competition aspect, the industry was fractured in the way it looked at best practices, and airlines didn’t tend to follow each other’s best practices as far as security goes.

“I think the industry has come to recognize, and grown in the fact that there is a best practice; there has been a 14 percent increase over the last year in the number of respondents who consider sharing best practices as important,” says Prince.

“I would temper that with the fact that 66 percent of respondents believe there is need for improvement of security management information within their organization.

“The airlines have gone from this insular, guarding the food at the table type of attitude, to being fairly open about best practices.”

We Recommend