CyberArk Case Studies Major Airline Makes a Commitment to PCI Compliance and its Customers

Edit This Case Study Record

	Major Airline Makes a Commitment to PCI Compliance and its Customers CyberArk

Major Airline Makes a Commitment to PCI Compliance and its Customers

CyberArk

Technology Category	Cybersecurity & Privacy - Application Security Cybersecurity & Privacy - Database Security Cybersecurity & Privacy - Identity & Authentication Management
Applicable Industries	Transportation
Applicable Functions	Business Operation
Use Cases	Regulatory Compliance Monitoring Remote Asset Management Remote Control
Services	Cybersecurity Services System Integration
Challenge	The airline has a robust e-commerce application, allowing travelers to search and book flights directly from the corporate website. This airline website was ranked the fifth largest travel site and the largest airline site in terms of unique visitors (source: Comscore MediaMetrix). As a result of its online growth, the airline was acutely aware of the need to maintain compliance with the credit card data protection standards mandated by the Payment Card Industry (PCI) Security Standards Council in its efforts to ensure credit card security. The PCI Data Security Standard (DSS) industry protocol is a common set of tools and measurements that are applicable across industries to help ensure the safe handling of sensitive credit card data and the protection of cardholder information. PCI Compliance in travel and tourism is often differentiated from other industries because of the lag time between when a flight is booked and when the credit card is processed for that booking. In this scenario, the credit card information is usually stored until the travel has actually taken place, or shortly before. This practice is not allowed in a PCI compliant environment, leaving travel companies at risk for fines and under intense pressure for ensuring their databases are protected from being wrongly accessed or altered - unintentionally or otherwise. As a result of these requirements and increased exposure due to its popular e-commerce business, the airline needed a new approach to document the steps it was taking to achieve PCI compliance with auditors. In this case, that meant proving that passwords to its database of sensitive customer data (including names, credit card numbers, billing addresses and other information) were being effectively monitored, managed and changed regularly. Read More
About Customer	This Major U.S. carrier has built a successful brand based on its commitment to maintaining a loyal customer base and creating a positive travel experience. With a growing e-commerce business and a reputation based on trust, reliability and customer service excellence, the airline faced critical PCI compliance requirements necessary to protect the privacy of its customers and business. The airline has a robust e-commerce application, allowing travelers to search and book flights directly from the corporate website. This airline website was ranked the fifth largest travel site and the largest airline site in terms of unique visitors (source: Comscore MediaMetrix). The airline's commitment to customer satisfaction and security is evident in its proactive approach to meeting PCI compliance standards, ensuring the protection of sensitive customer data and maintaining the trust of its clientele. Read More
Solution	For any business that processes online transactions using credit cards, PCI compliance is a significant business concern. What made it especially challenging in this case was that the airline had existing systems in place to book flights, but these systems were primarily built to accommodate bookings made through travel agents and call centers. The website was initially built as an information and branding tool, but with its evolution that featured a revenue generation application that had to access those established back-end systems, PCI compliance quickly became more complex. The IT team was faced with several security challenges including how best to manage nonexpiring database passwords associated with the airline’s back-end systems. The airline looked at several alternatives and chose the CyberArk Privileged Account Security Solution because it could handle all aspects of its emerging security and compliance requirements. The airline selected CyberArk’s Enterprise Password Vault to manage its on-line booking system’s underlying operation system, and CyberArk’s Application Identity Manager™ solution to manage and change passwords to the back-end database that stores customers’ credit card information. Of particular importance was the ability of CyberArk’s Application Identity Manager to manage risks posed by passwords hard coded within applications. Privileged application identities, those application IDs (such as AppID1) used by other applications, scripts, Windows services, batch jobs and more, represent serious threats because they are largely generic, unchanged, and if an organization is not careful, changing one password could negatively impact numerous, interdependent systems with relatively little effort. Read More Log in to view content
Contents

Technology Category

Cybersecurity & Privacy - Application Security

Cybersecurity & Privacy - Database Security

Cybersecurity & Privacy - Identity & Authentication Management

Applicable Industries

Transportation

Applicable Functions

Business Operation

Use Cases

Regulatory Compliance Monitoring

Remote Asset Management

Remote Control

Services

Cybersecurity Services

System Integration

Challenge

The airline has a robust e-commerce application, allowing travelers to search and book flights directly from the corporate website. This airline website was ranked the fifth largest travel site and the largest airline site in terms of unique visitors (source: Comscore MediaMetrix). As a result of its online growth, the airline was acutely aware of the need to maintain compliance with the credit card data protection standards mandated by the Payment Card Industry (PCI) Security Standards Council in its efforts to ensure credit card security. The PCI Data Security Standard (DSS) industry protocol is a common set of tools and measurements that are applicable across industries to help ensure the safe handling of sensitive credit card data and the protection of cardholder information. PCI Compliance in travel and tourism is often differentiated from other industries because of the lag time between when a flight is booked and when the credit card is processed for that booking. In this scenario, the credit card information is usually stored until the travel has actually taken place, or shortly before. This practice is not allowed in a PCI compliant environment, leaving travel companies at risk for fines and under intense pressure for ensuring their databases are protected from being wrongly accessed or altered - unintentionally or otherwise. As a result of these requirements and increased exposure due to its popular e-commerce business, the airline needed a new approach to document the steps it was taking to achieve PCI compliance with auditors. In this case, that meant proving that passwords to its database of sensitive customer data (including names, credit card numbers, billing addresses and other information) were being effectively monitored, managed and changed regularly.

About Customer

This Major U.S. carrier has built a successful brand based on its commitment to maintaining a loyal customer base and creating a positive travel experience. With a growing e-commerce business and a reputation based on trust, reliability and customer service excellence, the airline faced critical PCI compliance requirements necessary to protect the privacy of its customers and business. The airline has a robust e-commerce application, allowing travelers to search and book flights directly from the corporate website. This airline website was ranked the fifth largest travel site and the largest airline site in terms of unique visitors (source: Comscore MediaMetrix). The airline's commitment to customer satisfaction and security is evident in its proactive approach to meeting PCI compliance standards, ensuring the protection of sensitive customer data and maintaining the trust of its clientele.

Solution

For any business that processes online transactions using credit cards, PCI compliance is a significant business concern. What made it especially challenging in this case was that the airline had existing systems in place to book flights, but these systems were primarily built to accommodate bookings made through travel agents and call centers. The website was initially built as an information and branding tool, but with its evolution that featured a revenue generation application that had to access those established back-end systems, PCI compliance quickly became more complex. The IT team was faced with several security challenges including how best to manage nonexpiring database passwords associated with the airline’s back-end systems. The airline looked at several alternatives and chose the CyberArk Privileged Account Security Solution because it could handle all aspects of its emerging security and compliance requirements. The airline selected CyberArk’s Enterprise Password Vault to manage its on-line booking system’s underlying operation system, and CyberArk’s Application Identity Manager™ solution to manage and change passwords to the back-end database that stores customers’ credit card information. Of particular importance was the ability of CyberArk’s Application Identity Manager to manage risks posed by passwords hard coded within applications. Privileged application identities, those application IDs (such as AppID1) used by other applications, scripts, Windows services, batch jobs and more, represent serious threats because they are largely generic, unchanged, and if an organization is not careful, changing one password could negatively impact numerous, interdependent systems with relatively little effort.

Impact #1	CyberArk’s Privileged Account Security Solution was initially utilized to help the airline’s IT team solve its PCI initiatives for managing shared accounts on its UNIX systems. However, the airline then saw where they could improve management of both local administrative and root accounts in Windows and UNIX environments respectively as well. One of the next phases of implementation focused on using CyberArk’s Application Identity Manager for Java-based applications and application IDs used by its on-line booking systems. The airline quickly realized CyberArk could assist with both aspects of PCI compliance: securely managing its privileged accounts on Windows and UNIX environment and being able to manage application IDs in one secure, integrated platform.
Impact #2	By utilizing one integrated solution, the airline was able to leverage the CyberArk Privileged Account Security Solution infrastructure for both initiatives, thereby easing implementation, increasing time to market and exceeding deadlines associated with PCI.
Impact #3	With CyberArk, the IT team now has the ability to effectively manage privileged accounts within UNIX, Windows and Database platforms based on policy with a secure, enterprise-ready solution at regular intervals across its technology infrastructure. Prior to CyberArk, the airline wasn’t changing passwords at all. This was because in its App2App environment, the application scripts rely on hard-coded passwords, and they knew if they changed one password, the whole script could break.

Impact #1

CyberArk’s Privileged Account Security Solution was initially utilized to help the airline’s IT team solve its PCI initiatives for managing shared accounts on its UNIX systems. However, the airline then saw where they could improve management of both local administrative and root accounts in Windows and UNIX environments respectively as well. One of the next phases of implementation focused on using CyberArk’s Application Identity Manager for Java-based applications and application IDs used by its on-line booking systems. The airline quickly realized CyberArk could assist with both aspects of PCI compliance: securely managing its privileged accounts on Windows and UNIX environment and being able to manage application IDs in one secure, integrated platform.

Impact #2

By utilizing one integrated solution, the airline was able to leverage the CyberArk Privileged Account Security Solution infrastructure for both initiatives, thereby easing implementation, increasing time to market and exceeding deadlines associated with PCI.

Impact #3

With CyberArk, the IT team now has the ability to effectively manage privileged accounts within UNIX, Windows and Database platforms based on policy with a secure, enterprise-ready solution at regular intervals across its technology infrastructure. Prior to CyberArk, the airline wasn’t changing passwords at all. This was because in its App2App environment, the application scripts rely on hard-coded passwords, and they knew if they changed one password, the whole script could break.

Benefit #1	Fine avoidance
Benefit #2	Avoid disruptions in customer service
Benefit #3	Increased security posture

Benefit #1

Fine avoidance

Benefit #2

Avoid disruptions in customer service

Benefit #3

Increased security posture

Download PDF Version

Overview

Major Airline Makes a Commitment to PCI Compliance and its Customers

Operational Impact

Quantitative Benefit