• Subscribe
  • Magazines
  • Advertise
  • Contact Us
  • Podcasts
  • Buyers Guide
  • GSE Expo
    1. Home

    Adjusting for Compliance

    May 22, 2009
    Security survey indicates encouraging level of IT spending among world’s airlines.
    1242913281885 10373223

    SITA, service provider of information technology solutions for the air transport industry, launched its third annual airline IT security survey in March. Among key highlights: improvement in best practices and online payment compliance are in the forefront of carrier IT security priorities.

    The SITA global IT security survey is an effort to show how airlines are dealing with security management information as compared with years past. The survey was first issued in 2006, and is composed by Loudhouse, a research consultancy based in the U.K. that conducts and supports research in all market sectors worldwide. In December 2008 (at the height of the stock market fall), Loudhouse interviewed more than 180 direct level airline security professionals from around the globe.

    Mark Prince, head of consulting for security, voice, and convergence at SITA and executive sponsor of the survey, relates that airline IT security entails the end to end security of an electronic transmission (including the network a company runs on), or part of a company’s “digital highway,” and any type of equipment connected to that highway. The IT security function finds gains in key areas of strategy that should yield positive performances in operational areas, according to the survey executive summary released by SITA.

    The security of an airline company’s digital data concerns airports because the infrastructure behind an airline’s information technology is becoming ever-increasingly shared by airport IT infrastructure. “A carrier is not just an airline while in the sky,” says Prince, “they are an airline on the ground as well; and the connection is through the airport hub itself.”

    Online payments
    This year’s survey identified a notable level of importance assigned to data compliance as an issue for IT security professionals. This is due to key compliance initiatives and deadlines set by major credit card providers, such as Visa.

    What’s effectively happened, says Prince, is the payment card industry has recognized that when an airline hemorrhage’s customer data in whatever form (names or tracking data), there is a minimum cost for the card companies to set that data right. “The industry basically said to everybody, including the airlines, if a company wants to be a merchant (transact financially via a credit card), it must meet certain standards.

    “If the standards are met, the card providers will effectively indemnify the company against loss of data.

    “When airports lease those services dealing with credit card transactions for the airlines, then it becomes the airport’s responsibility to be compliant,” he says.

    The leased services provided to airlines by some airports include common-use kiosks, which contain software that must be compliant within the security standard.

    For example, says Prince, “If a machine is a self-service check-in kiosk, and I pay for a flight with my credit card, the machine uses that card to identify me when I arrive at the airport to check in; and that machine must be compliant.

    The survey shows that among respondents responsible for compliance, both industry (73 percent) and customer information compliance (68 percent) are considered important to the business.

    The survey found that 42 percent of respondents overall stated that they had input into IT compliance for their companies. “The level of importance given to compliance by these airline IT security professionals is encouraging, but more can be done,” says Prince.

    “Key compliance initiatives such as PCI DSS and ISO27001 are both relevant and time-sensitive. The major payment brands have all issued compliance deadlines for PCI DSS regarding data storage and validation procedures.

    “Visa, for example, has set these at September 2009 and 2010 respectively, dates to which the global airline industry must pay attention,” he says.

    PCI DSS stands for Payment Card Industry Data Security Standard, and was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking, and various other security vulnerabilities and threats.

    According to SITA, a company processing, storing, or transmitting payment card data must be PCI DSS compliant. Non-compliant companies who maintain a relationship with one or more of the card brands risk losing their ability to process credit card payments and being audited.

    According to the Airline Online Fraud Report, commissioned by CyberSource in association with Airline Information LLC, airlines worldwide lost over $1.4 billion to online fraud in 2008, about 1.3 percent of worldwide airlines’ online revenue. The IT security survey found that just 34 percent of respondents said online payment compliance was “very important.”

    Compliance barriers
    Challenges to becoming compliant with new card security standards include insufficient resources (54 percent), insufficient budget (49 percent), and a lack of knowledge around compliance (47 percent). Planning, skills, and a lack of internal communication and project management also play into compliance issues, according to the survey.

    “Some airlines are in the planning phase,” says Prince, “and some are in the pre-planning phase.

    “The problem with the survey, which is intentional, is that I don’t get to know who has been surveyed; so unfortunately I don’t see the magnitude.

    “The survey is not meant to be a sales tool for me or my consulting teams, but we can help airlines with some of the incremental bits and pieces of the survey. For example, with PCI DSS, we can help them accelerate their compliance program if necessary.”

    Prince says that some airlines use the survey for trend analysis; and some of them metric themselves against the survey results, to see where they are in relation to the rest of the industry.

    Additional Highlights
    The survey also shows a significant improvement in best practices in the areas of policy processes, quality of tracking, and level of security governance among airlines.

    Prince relates that when the survey began, because of the competition aspect, the industry was fractured in the way it looked at best practices, and airlines didn’t tend to follow each other’s best practices as far as security goes.

    “I think the industry has come to recognize, and grown in the fact that there is a best practice; there has been a 14 percent increase over the last year in the number of respondents who consider sharing best practices as important,” says Prince.

    “I would temper that with the fact that 66 percent of respondents believe there is need for improvement of security management information within their organization.

    “The airlines have gone from this insular, guarding the food at the table type of attitude, to being fairly open about best practices.”

    Pilot project

    First context-aware mobile platform
    SITA, airline IT provider, and Appear, provider of context-aware software, have partnered to enhance workforce mobility by seeking to eliminate information overload, boost productivity, and reduce costs.

    According to a press release, context-aware technology revolutionizes how information is delivered, received, and presented on mobile devices. No longer do users need to know what they are looking for: the context engine analyzes each user’s situation and determines what information the user needs and what data or video needs to be delivered in real time. The technology enables SITA to provide a range of wireless applications over a single common-use multi-service architecture, says SITA VP for innovation, Greg Ouillon.

    Pilot projects are scheduled with three airlines in Sweden, Portugal, and the Netherlands. The companies will deploy a hosted context-aware platform capable of supporting multiple mobile application scenarios (including passenger and baggage processing, and aircraft and airport operations.)

    EXAMPLE: The mobile workforce concept enabled by handheld devices allows aircraft turnaround with one duty manager for four to five aircraft, rather than the present “norm” of one duty manager per aircraft turnaround.

    Similarly, ground handlers will save on fuel bills and benefit from workforce efficiency gains thanks to remote management of ground service equipment. They will also increase revenues due to more accurate usage reporting, according to SITA.

    BIOMETRICS: Improving the Travel Experience
    In April, SITA released an article by Tom Marten, vice president of government security at SITA, relating how technology is improving the travel experience throughout the air transport industry. As a leading specialist in air transport communication and IT solutions, SITA has amassed a body of evidence from biometric deployments at airports worldwide. The research demonstrates the value and opportunity biometric technology can bring to improving passenger processing, reducing wait times, and enhancing the quality of the passenger journey while also enhancing security.

    CONVERGENCE
    • Convergence, in a passenger screening context, is the coming together of both biographic data elements, such as passport, visa, and booking information; and biometric data elements, such as fingerprint, iris, and facial images. According to SITA, herein lies the future of securing air borders, and improving the passenger experience.
    • Biometric data is useful for identity management, and helps ensure any weak links by automatically re-enforcing passenger data (tells more about who a person is.)
    • Biographic data provides a complementary layer of information to drive the passenger screening process (tells more about what a person is doing.)

    E-PASSPORTS

    • The adoption of e-passports containing digital photographs and/or biometric identifiers will deliver widespread benefits to all aviation stakeholders.
    • If 40 percent of passengers departing an airport are holders of e-passports, there is a compelling business case to deploy biometric-based systems in that airport.
    • Whether these biometric systems would be used for fast track access through security, access to airport lounges, or for automated border clearance, travelers would be moved as quickly, efficiently, and as cost-effectively as possible.
    • It will be another five years or more before the majority of travelers hold e-passports, which will delay the widespread adoption of biometric systems for passengers.

    INTERIM SOLUTIONS

    • Registered traveler-type program: Participants choose to enroll in a biometric-based scheme in return for certain facilitation benefits. In the U.K., participants can enroll in the country’s Iris Recognition Immigration System (IRIS) by having the biographic data on their passports recorded together with high-definition images of each iris. Upon arrival in the U.K., IRIS participants can go directly to the automated clearance system.
    • Once biometric information is submitted and a background check is completed, the traveler can participate and get expedited through security checks.

    THE GOAL
    According to SITA, in a few years, all travelers will have biometric passports. This will provide the opportunity for airlines, airports, and governments to leverage biometrics to provide valuable services to travelers.