Compliance of an airline company with the payment card industry data security standard (PCI DSS): case study
SubjectΠροστασία δεδομένων -- Πρότυπα ; Data protection -- Standards ; Δίκτυα υπολογιστών -- Μέτρα ασφαλείας ; Computer networks -- Security measures ; Credit cards -- Security measures
The Payment Card Industry Data Security Standard is a set of twelve security requirements that applies to all institutions and systems handling, storing or transmitting cardholder information. It was created by the main card brands in a united effort to respond to the increasing number of attacks and data breach cases targeted and linked to card and cardholder data. The standard considers points such as policy design, data security, network architecture, software design, application security, transmission encryption requirements and so on. Being compliant with the standard can be both expensive and time consuming for any business willing to do so. Given the complexity of the business environment of Airline Companies, the cost for compliance increases. Airline companies operate differently to other merchants due to the involvement of multiple entities during the whole process, which initiates from the customer's purchase of a ticket and ends at customers boarding to the airplane. These entities, including travel agencies, airline companies, airports, as well as service and network providers, that check seats availability, issue tickets, process payments and so on, may have access to cardholder data and consequently may pose great risk for security of cardholder data. Cardholder data are often used for functions, other than completing the payment. For instance, many airlines use payment card data as a unique form of identity for their customers. Card data is passed through systems at the time of reservation and then used at check-in to verify the customer's identity. Moreover, travel agents use systems provided by a Global Distribution System (GDS) provider that link to the airline systems to check ticket availability, to financial systems for authorization and then to IATA (International Air Transport Association) systems for clearing and settlement purposes. This is a case study, based on a real situation, where the current state of an airline company (infrastructure, applications, information security policies and procedures) is going to be evaluated against the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and recommendations will be made in order for the company to comply with the standard. Moreover, the present study is going to analyze in depth the difficulties that arise towards compliance with the PCI DSS standard in the airline industry from the involvement of multiple entities and to make suggestions, requiring the smallest possible cost and effort for the organization that can help to overcome such difficulties.