CyberArk > Case Studies > Major Airline Makes a Commitment to PCI Compliance and its Customers

Major Airline Makes a Commitment to PCI Compliance and its Customers

CyberArk Logo
Customer Company Size
Large Corporate
Region
  • America
Country
  • United States
Product
  • CyberArk Privileged Account Security Solution
  • CyberArk Enterprise Password Vault
  • CyberArk Application Identity Manager
Tech Stack
  • Java-based web applications
  • Oracle database
  • Windows
Implementation Scale
  • Enterprise-wide Deployment
Impact Metrics
  • Brand Awareness
  • Cost Savings
  • Customer Satisfaction
  • Digital Expertise
Technology Category
  • Cybersecurity & Privacy - Application Security
  • Cybersecurity & Privacy - Database Security
  • Cybersecurity & Privacy - Identity & Authentication Management
Applicable Industries
  • Transportation
Applicable Functions
  • Business Operation
Use Cases
  • Regulatory Compliance Monitoring
  • Remote Asset Management
  • Remote Control
Services
  • Cybersecurity Services
  • System Integration
About The Customer
This Major U.S. carrier has built a successful brand based on its commitment to maintaining a loyal customer base and creating a positive travel experience. With a growing e-commerce business and a reputation based on trust, reliability and customer service excellence, the airline faced critical PCI compliance requirements necessary to protect the privacy of its customers and business. The airline has a robust e-commerce application, allowing travelers to search and book flights directly from the corporate website. This airline website was ranked the fifth largest travel site and the largest airline site in terms of unique visitors (source: Comscore MediaMetrix). The airline's commitment to customer satisfaction and security is evident in its proactive approach to meeting PCI compliance standards, ensuring the protection of sensitive customer data and maintaining the trust of its clientele.
The Challenge
The airline has a robust e-commerce application, allowing travelers to search and book flights directly from the corporate website. This airline website was ranked the fifth largest travel site and the largest airline site in terms of unique visitors (source: Comscore MediaMetrix). As a result of its online growth, the airline was acutely aware of the need to maintain compliance with the credit card data protection standards mandated by the Payment Card Industry (PCI) Security Standards Council in its efforts to ensure credit card security. The PCI Data Security Standard (DSS) industry protocol is a common set of tools and measurements that are applicable across industries to help ensure the safe handling of sensitive credit card data and the protection of cardholder information. PCI Compliance in travel and tourism is often differentiated from other industries because of the lag time between when a flight is booked and when the credit card is processed for that booking. In this scenario, the credit card information is usually stored until the travel has actually taken place, or shortly before. This practice is not allowed in a PCI compliant environment, leaving travel companies at risk for fines and under intense pressure for ensuring their databases are protected from being wrongly accessed or altered - unintentionally or otherwise. As a result of these requirements and increased exposure due to its popular e-commerce business, the airline needed a new approach to document the steps it was taking to achieve PCI compliance with auditors. In this case, that meant proving that passwords to its database of sensitive customer data (including names, credit card numbers, billing addresses and other information) were being effectively monitored, managed and changed regularly.
The Solution
For any business that processes online transactions using credit cards, PCI compliance is a significant business concern. What made it especially challenging in this case was that the airline had existing systems in place to book flights, but these systems were primarily built to accommodate bookings made through travel agents and call centers. The website was initially built as an information and branding tool, but with its evolution that featured a revenue generation application that had to access those established back-end systems, PCI compliance quickly became more complex. The IT team was faced with several security challenges including how best to manage nonexpiring database passwords associated with the airline’s back-end systems. The airline looked at several alternatives and chose the CyberArk Privileged Account Security Solution because it could handle all aspects of its emerging security and compliance requirements. The airline selected CyberArk’s Enterprise Password Vault to manage its on-line booking system’s underlying operation system, and CyberArk’s Application Identity Manager™ solution to manage and change passwords to the back-end database that stores customers’ credit card information. Of particular importance was the ability of CyberArk’s Application Identity Manager to manage risks posed by passwords hard coded within applications. Privileged application identities, those application IDs (such as AppID1) used by other applications, scripts, Windows services, batch jobs and more, represent serious threats because they are largely generic, unchanged, and if an organization is not careful, changing one password could negatively impact numerous, interdependent systems with relatively little effort.
Operational Impact
  • CyberArk’s Privileged Account Security Solution was initially utilized to help the airline’s IT team solve its PCI initiatives for managing shared accounts on its UNIX systems. However, the airline then saw where they could improve management of both local administrative and root accounts in Windows and UNIX environments respectively as well. One of the next phases of implementation focused on using CyberArk’s Application Identity Manager for Java-based applications and application IDs used by its on-line booking systems. The airline quickly realized CyberArk could assist with both aspects of PCI compliance: securely managing its privileged accounts on Windows and UNIX environment and being able to manage application IDs in one secure, integrated platform.
  • By utilizing one integrated solution, the airline was able to leverage the CyberArk Privileged Account Security Solution infrastructure for both initiatives, thereby easing implementation, increasing time to market and exceeding deadlines associated with PCI.
  • With CyberArk, the IT team now has the ability to effectively manage privileged accounts within UNIX, Windows and Database platforms based on policy with a secure, enterprise-ready solution at regular intervals across its technology infrastructure. Prior to CyberArk, the airline wasn’t changing passwords at all. This was because in its App2App environment, the application scripts rely on hard-coded passwords, and they knew if they changed one password, the whole script could break.
  • For example, customers’ online accounts often have credit cards stored in the airline’s Oracle database. PCI guidelines require the airline to change their Oracle passwords on a regular basis. When a transaction takes place, a web application must be able to access the Oracle database to get the credit card information that application’s script relies on a hard-coded password to work. CyberArk enables the IT team to change Oracle passwords regularly, without breaking anything or disrupting financial transactions in the process.
  • As a result of these and other practices enabled by CyberArk, the airline achieved a significant milestone: PCI compliance.
Quantitative Benefit
  • Fine avoidance
  • Avoid disruptions in customer service
  • Increased security posture
  • Protection of brand name

Case Study missing?

Start adding your own!

Register with your work email and create a new case study profile for your business.

Add New Record

Related Case Studies.

Contact us

Let's talk!
* Required
* Required
* Required
* Invalid email address
By submitting this form, you agree that IoT ONE may contact you with insights and marketing messaging.
No thanks, I don't want to receive any marketing emails from IoT ONE.
Submit

Thank you for your message!
We will contact you soon.