Allegiant Air: PCI Problem Solution
Recently, BriefingsDirect held a security market transformation discussion focusing on Allegiant Air’s solution to its payment card industry problem. The discussion was hosted by Dana Gardner, a principal analyst at Interarbor Solutions, accompanied by Chris Gullett, Director of Information Assurance at Allegiant Air in Las Vegas.
Allegiant made the decision to utilize new technologies, such as tokenization, in order to quickly manage compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Here are some of the excerpts:
Gardner: Let’s begin at a high level. What are the major trends that are driving a need for better privacy and security, particularly when it comes to customer information, and not just for your airline, but for the airline industry in general?
Gullett: The airline industry in general has quite a bit of personally identifiable information (PII). When you think about what you have to go through to get on the plane these days, everything from your whole name, your date of birth, your address, your phone number, your flight itinerary, is all going in the record.
There is lot of information that you would rather not have in the public domain, and the airline has to protect that. In fact, there have been a couple of data breaches involving major airlines with things like frequent-flyer programs. So, we have to look carefully at how we interact with our customers and make sure that data is incredibly safe. We just don’t want to take the brand hit that would occur if data leaked out.
Gardner: As we think about ways to accommodate our need for more data in more places, even everywhere, is there top-level thinking that goes along with being able to make the data private, but also usable?
Gullett: That’s the balancing point. Everybody wants their data everywhere. Before, a data center protected data inside the tight little confined, hardened shell you used to have, a perimeter with a firewall, and things like that. But we need data out to the edge where it’s actually being consumed; that’s what has to happen these days.
Some airlines are putting consumer PII right in hands of the flight attendant on the plane. At Allegiant, for example, we’re using mobile devices to accept credit cards on the plane. We’re experimenting with a number of different technologies that fall into a category of Internet of Things (IoT), when you think about them. What they all have in common is that they’re outside any possible perimeter.
So, you have to find a way to make every device have its own individual perimeter, and harden the data, harden the device, or some combination of the two.
Gardner: The HPE SecureData Web and the HPE Page-Integrated Encryption are being used by a lot of folks for the webpage, of course, the browser-based apps, but that also can provide a secure way to go to mobile. Many people are interested in the mobile web, not necessarily just native apps. Is that something you have been able to use as well? The SecureData Web as a way to get to the mobile edge securely?
Gullett: We do use SecureData Web in our mobile applications. We’ve been using it since we initially integrated the product several years ago. In fact, that was one of the data points that we had to protect from Day One. So we have the app going out to the Internet, grabbing the one-time encryption key and encrypting that data in the application itself on the mobile device, on the Android device, the Apple device, and then sending that encrypted data back to our payment-processing system, passing through any systems in the middle as an encrypted form.
We also have a subsidiary that it is not directly airline-related that is also developing a payment-processing app for the business space it works within. Because they’re developing a true native application for iOS, they’re going to be developing with the SecureData Web SDK that’s been released for mobile devices, which will certainly be much easier.
Gardner: Before we sign off, Chris, where do you go next? How do you think your security steps so far have enabled you to be more fleet, more agile, and perhaps find other business benefits?
Gullett: There is no substitute for delivering innovative solutions to problems that are well-known throughout the business, and helping that to build your credibility with the executives and the board of directors. Certainly, the solution to our PCI-compliance issues, which did get a lot of exposure to the company’s executives and the board, by being able to solve that quickly and without an impact to the operations of the airline, that brought information security awareness to a level that we had not previously enjoyed at the airline.
Although, if you talk to our executives and our board, they’re going to tell you information security is very important, and I believe they believe that. The fact that you can demonstrate that you can deliver solutions that don’t break the bank and do what they say they do, means a lot.
The HPE Security products that we implemented for PCI are just one part. For example, if the folks aren’t handling the credit cards properly or if they’re not adequately protecting the data that they have on their mobile devices out in the field, our risk is just as great as a credit-card data breach would have been before we had implemented the tokenization. These are all things we kind of worry about.