Adjusting for Compliance

May 22, 2009
Security survey indicates encouraging level of IT spending among world’s airlines.

SITA, service provider of information technology solutions for the air transport industry, launched its third annual airline IT security survey in March. Among key highlights: improvement in best practices and online payment compliance are in the forefront of carrier IT security priorities.

The SITA global IT security survey is an effort to show how airlines are dealing with security management information as compared with years past. The survey was first issued in 2006, and is composed by Loudhouse, a research consultancy based in the U.K. that conducts and supports research in all market sectors worldwide. In December 2008 (at the height of the stock market fall), Loudhouse interviewed more than 180 direct level airline security professionals from around the globe.

Mark Prince, head of consulting for security, voice, and convergence at SITA and executive sponsor of the survey, relates that airline IT security entails the end to end security of an electronic transmission (including the network a company runs on), or part of a company’s “digital highway,” and any type of equipment connected to that highway. The IT security function finds gains in key areas of strategy that should yield positive performances in operational areas, according to the survey executive summary released by SITA.

The security of an airline company’s digital data concerns airports because the infrastructure behind an airline’s information technology is becoming ever-increasingly shared by airport IT infrastructure. “A carrier is not just an airline while in the sky,” says Prince, “they are an airline on the ground as well; and the connection is through the airport hub itself.”

Online payments
This year’s survey identified a notable level of importance assigned to data compliance as an issue for IT security professionals. This is due to key compliance initiatives and deadlines set by major credit card providers, such as Visa.

What’s effectively happened, says Prince, is the payment card industry has recognized that when an airline hemorrhage’s customer data in whatever form (names or tracking data), there is a minimum cost for the card companies to set that data right. “The industry basically said to everybody, including the airlines, if a company wants to be a merchant (transact financially via a credit card), it must meet certain standards.

“If the standards are met, the card providers will effectively indemnify the company against loss of data.

“When airports lease those services dealing with credit card transactions for the airlines, then it becomes the airport’s responsibility to be compliant,” he says.

The leased services provided to airlines by some airports include common-use kiosks, which contain software that must be compliant within the security standard.

For example, says Prince, “If a machine is a self-service check-in kiosk, and I pay for a flight with my credit card, the machine uses that card to identify me when I arrive at the airport to check in; and that machine must be compliant.

The survey shows that among respondents responsible for compliance, both industry (73 percent) and customer information compliance (68 percent) are considered important to the business.

The survey found that 42 percent of respondents overall stated that they had input into IT compliance for their companies. “The level of importance given to compliance by these airline IT security professionals is encouraging, but more can be done,” says Prince.

“Key compliance initiatives such as PCI DSS and ISO27001 are both relevant and time-sensitive. The major payment brands have all issued compliance deadlines for PCI DSS regarding data storage and validation procedures.

“Visa, for example, has set these at September 2009 and 2010 respectively, dates to which the global airline industry must pay attention,” he says.

PCI DSS stands for Payment Card Industry Data Security Standard, and was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking, and various other security vulnerabilities and threats.

According to SITA, a company processing, storing, or transmitting payment card data must be PCI DSS compliant. Non-compliant companies who maintain a relationship with one or more of the card brands risk losing their ability to process credit card payments and being audited.

According to the Airline Online Fraud Report, commissioned by CyberSource in association with Airline Information LLC, airlines worldwide lost over $1.4 billion to online fraud in 2008, about 1.3 percent of worldwide airlines’ online revenue. The IT security survey found that just 34 percent of respondents said online payment compliance was “very important.”

Compliance barriers
Challenges to becoming compliant with new card security standards include insufficient resources (54 percent), insufficient budget (49 percent), and a lack of knowledge around compliance (47 percent). Planning, skills, and a lack of internal communication and project management also play into compliance issues, according to the survey.

“Some airlines are in the planning phase,” says Prince, “and some are in the pre-planning phase.

“The problem with the survey, which is intentional, is that I don’t get to know who has been surveyed; so unfortunately I don’t see the magnitude.

“The survey is not meant to be a sales tool for me or my consulting teams, but we can help airlines with some of the incremental bits and pieces of the survey. For example, with PCI DSS, we can help them accelerate their compliance program if necessary.”

Prince says that some airlines use the survey for trend analysis; and some of them metric themselves against the survey results, to see where they are in relation to the rest of the industry.

Additional Highlights
The survey also shows a significant improvement in best practices in the areas of policy processes, quality of tracking, and level of security governance among airlines.

Prince relates that when the survey began, because of the competition aspect, the industry was fractured in the way it looked at best practices, and airlines didn’t tend to follow each other’s best practices as far as security goes.

“I think the industry has come to recognize, and grown in the fact that there is a best practice; there has been a 14 percent increase over the last year in the number of respondents who consider sharing best practices as important,” says Prince.

“I would temper that with the fact that 66 percent of respondents believe there is need for improvement of security management information within their organization.

“The airlines have gone from this insular, guarding the food at the table type of attitude, to being fairly open about best practices.”