Averting turbulence in the air

The diversification of payment methods and gradual increase in the volume of online transactions have cast a spotlight on the need for payment security compliance within the airline industry. With the new, recently onboarded Payment Card Industry Data Security Standard (PCI DSS) v4.0, it’s important to explore the intricacies of PCI DSS compliance and uncover some of the challenges and opportunities that are in the wings for this dynamic sector.

But first, let’s look at a scenario of how PCI DSS might apply to the average vacation planner, Erin. Since Erin has a limited budget, one of the first things she might do is go to the internet and browse through meta-search engines looking for a deal. As she enters the target destination and date, the website displays a list of options with prices. She wants the cheapest price with the least number of layovers. She is also mindful of security: “Is it too adventurous to book the ticket through an unfamiliar travel agency, or should I book through the airline itself?” she wonders. Booking through the airline could be cheaper or more expensive, but at least it would be a safer choice for Erin considering any abrupt changes in schedule or security of her personal data, right?

Well not exactly. A simple Google search can reveal that some of the major airlines with state-of-the-art IT infrastructure had customer data stolen due to security breaches. According to Verizon’s 2023 Data Breach Investigation Report (DBIR), the transportation industry as a whole was breached 249 times with 349 incidents reported. As a result, PCI DSS has become a pivotal framework for the airline industry with its invaluable agenda to govern the PCI DSS for payment card transactions. 

Understanding the PCI DSS Standard

PCI DSS is an information security standard designed to ensure companies that process card payments maintain a secure IT environment for their customers. The PCI DSS v4.0, released in March 2022, with mandatory compliance starting on March 31, 2024, represents an updated and refined version of the Standard. It incorporates lessons learned from previous versions, past security breaches, and emerging new threats. The updated Standard is expected to introduce more robust security controls in order to raise the bar for safeguarding cardholder data. From buying tickets online to purchasing duty-free cosmetics on the aircraft, revenue streams and payment methods are becoming more and more complex for the air carriers. In order to comply with the new Standard, the industry will need to adapt its existing security measures to meet the tightened security controls, calling for a comprehensive review and potential overhaul of its cybersecurity infrastructure.

Understanding the business of the airline industry

As previously mentioned, the revenue streams are becoming diversified in the airline sector. Loyal customers are likely to book their flight tickets directly through the airline website or mobile app, whereas sporadic customers have a plethora of options, such as third-party websites, travel agencies and even the airport counter. Up in the air, customers can choose to alleviate their flight anxiety by ordering a snack or drink, and on the ground, they can purchase neck pillows from the airline’s duty-free or retail stores. If the customers are in the mood to enhance their travel experience, they can look into airline ancillaries and order extra seats, baggage, or even lounge access. In order to gain a competitive advantage over their competitors, the airlines have no choice but to constantly venture into new business opportunities while satiating the growing demands of their customers and shareholders.

In addition, the world of e-commerce technology seems to be perpetually evolving with fintech innovations and payment orchestration platforms. Following this trend, some airlines even developed their own “payment application” through which customers not only can book airline tickets but also make payments on other e-commerce platforms. Even with all aforementioned technological advancements and diversified payment streams, one unavoidable and common element persists: transmission of valuable financial data, such as payment card information, through the wilderness of the World Wide Web.

Understanding the difficulty of complying with PCI DSS in the airline sector

Airline passenger data repositories tend to be the holy grail for cybercriminals due to the sheer amount and value of the data. This is also due to the demographics of airline passengers, who are likely to be affluent enough to travel with platinum credit cards at their disposal. Many airlines have no choice but to store payment card data in the event of chargebacks, refunds, installments and recurring payments. To safeguard this large influx of cardholder data, the airlines are required to encrypt it when stored in their environment—as per the PCI DSS (Requirement 3, to be specific). However, this isn’t enough. The newly-updated PCI DSS v4.0 is asking all organizations to encrypt the data on the application level—in other words, disk or partition-level encryption is not enough anymore. If hash algorithms were used instead to render cardholder data unreadable, they now need to be “keyed” hashes (hash-based MAC, cyber-based MAC, etc.) rather than one-way hashes. If one-way hashes such as SHA-256 were used, the airlines will have to replace the hashing algorithms to two-way hashes. This is not a simple task since it could potentially involve costly updates in software/hardware, significant changes in the codes, dataflow, system calls and most importantly, a downtime of end user programs.

But what if they do not store any cardholder data?

If they merely transmit cardholder data without storing it in their database, it will help reduce the number of PCI DSS requirements (most of Requirement 3) applicable to the airlines. However, the rest of the requirements can still be quite overwhelming because there are so many. Another requirement on data security is Requirement 4, which aims to protect cardholder data as it is transmitted over the internet when customers make online transactions. PCI DSS v4.0 is asking all merchants to have an “automated” technical solution for their public-facing web applications—meaning a web-based application firewall (WAF) is now a must. While most full-service carriers should already have WAFs to protect their web environment, lower-cost carriers might struggle to remain compliant because this piece of hardware or software generally does not come cheap. Several other key changes have a goal to strengthen the web environment, such as integrity protection in payment page scripts, and airlines are actively engaging with PCI Qualified Security Assessors (QSA) in order to evaluate their compliance status.

We all know that there is no one-size-fits-all type of solution to meet the rigors of the PCI DSS requirements. However, one common measure can be applied for all carriers: Do not touch (store, process, or transmit) any payment card data to begin with.^[1]

That’s a great idea. But how?

This may sound too obvious or superfluous, but it’s the most effective way of reducing the risk of a data breach. The PCI Security Standard Council (SSC) is also recommending that organizations: “Do not store cardholder data unless there is a legitimate business need.”  What’s even better is that the airline completely avoids touching any cardholder data by outsourcing payment capabilities in web or mobile apps to a third-party payment gateway. When the customers reach the stage of making the online transaction, they can either be redirected to the payment gateway’s website or simply complete the transaction through embedded iframe tags within the airline’s payment page. For chargebacks, installments, refunds, credits, and vouchers, they can utilize tokenization technology in order to avoid storing full cardholder data. All these measures will assist the airlines to significantly reduce their scope and the number of applicable PCI DSS requirements down to a minimum. 

But what about in-person payments?

There are many cases where airline customers would have to make in-person card payments, such as in the airports, aircrafts, or retail stores. In processing the transaction, the cardholder data traverses through many different layers of IT infrastructure, such as the point of interaction (POI) devices, computers, switches, routers, firewalls, etc. PCI DSS states that all in-between systems that “touch” cardholder data must be included as part of the merchant environment—and this is where most airlines would struggle. First, in-flight real-time payments are not 3DS secure—meaning, the card brands (Visa, MasterCard, America Express, Discover Financial Services, China UnionPay, and JCB International) or banks cannot verify the identity of the payer. Second, if the payment isn’t processed in real-time, the POI devices must hold the customer’s cardholder data, including the card number, sensitive authentication data (PIN, CVC, or CVV), and/or magnetic stripe data until the connectivity is established. If the hackers can get a hold of these payment-capturing POI devices, they can potentially gain access to the customer’s entire payment information.

As for the retail environment on the ground, the airport’s IT systems, such as workstations and network devices, are not usually owned by the airline—they are commonly owned by the airport operators. These IT systems are also shared among many other airlines, and it could be challenging to properly maintain the level of security of this shared infrastructure. Per PCI DSS, all of these in-between systems must be a part of the merchant’s scope of compliance and validation. However, with so many airports around the world, it’s a challenge for airlines to ask each airport to be PCI security compliant or to have the PCI Qualified Security Assessors (QSAs) evaluate the security maturity of the shared airport infrastructure. Having third-party service providers (TPSP) who are not PCI security compliant would constitute a clear violation of the PCI DSS Requirement 12.8. And this is where Point-to-Point Encryption (P2PE) devices could come in handy.

P2PE devices are PCI council-approved devices that can encrypt the cardholder data from the moment it is captured, all the way to the payment gateway or acquirer’s environment. It allows the airline to remove any of the aforementioned in-between IT systems out of the airline’s PCI DSS scope. This simple scope-reduction technique can be applied to other in-person payment channels, such as retail stores or in-flight transactions. It also removes the headache of having to manage non-compliant TPSPs, except for providing security awareness training for the device handlers and maintaining the inventory of payment-accepting devices.  

Managing your third-party service providers

Speaking of third parties, the PCI SSC has elaborated further on the use of TPSPs and its impact on companies in Section 4 of the updated PCI DSS v4.0. This update insinuates that the PCI SSC will be placing greater emphasis on vendor risk management when PCI DSS v4.0 becomes the only Standard available. In order to meet Requirement 12.8, any TPSPs that can potentially impact the security of the airline’s cardholder data environment must be included in scope for the PCI DSS assessment. This includes the likes of cloud infrastructure, managed security providers, application development, call centers, etc.—basically anything or anyone that can impact the security of the cardholder data environment. 

A concept that is somewhat unique to the travel industry is the Internet Booking Engine (IBE), which allows travelers to make reservations and manage their bookings. IBE also allows the airlines to optimize their revenue through forecasting demands and fine-tuning prices. Full-service carriers often choose to develop their own IBE as part of their in-house operation. Low-cost carriers, on the other hand, often outsource their development, and integrate with popular global distribution systems (GDS), such as Navitaire, Travelport, or Sabre. Either way, they must ensure that their IBE is developed securely while meeting the secure systems development lifecycle (SSDLC) requirements in PCI DSS. However, the problem often arises from the fact that there are limited options when it comes to procuring these third-party service providers (TPSPs) that can develop and maintain IBEs. And not all of them may be PCI DSS compliant. 

If the TPSPs for building and maintaining IBEs are not PCI compliant, the airlines must ensure that any operational activities performed by the TPSP personnel strictly follow the PCI DSS compliance requirements. The “personnel” in this context could refer to anyone that can impact the security of the IBE, including the developers, project managers and systems administrators. In a perfect world, all TPSPs that are involved in the IBEs are located within the perimeter of the airline’s secure environment. But if any of the TPSP personnel were working remotely from the comfort of their homes, local coffee shop, or even from outside of the country, securing the environment—such as the personal firewall, anti-virus, and encryption mode on the routers—would be extremely difficult. 

The responsibility of having to oversee the TPSP’s environment goes beyond the area of IBEs—it has to be applied for any service provider that can potentially impact the security of the airline’s PCI DSS scope. For this reason, Verizon recommends that the airlines ask for PCI Attestation of Compliance (AOC) from their service providers and make it part of the contractual agreement from the beginning. In doing so, airlines can mitigate or transfer the risks coming from third parties while meeting the intent of the PCI DSS requirements. The most ideal situation would be to insert a PCI DSS clause in the organization’s master contract so that all service providers agree on safeguarding the airline’s cardholder data at all times or they would risk having their contracts terminated. The airlines would still have to ensure that all TPSPs provide updated PCI AOCs every year, and actively track their PCI compliance year round. But at least it’s better than having a much larger scope for your annual PCI DSS assessment, right?

Conclusion

As the airline industry prepares for the PCI DSS v4.0, which will soon be the only Standard from April 2024, a proactive approach is paramount to the journey of full PCI DSS compliance. Handling the complexities of the updated Standard will require rigorous planning and commitment to securing the immeasurable amounts of sensitive data transiting through satellites and circuits. In the face of these challenges, due diligence in passenger data protection is not only mandatory for compliance but also a fundamental aspect of maintaining customer trust and brand reputation of the airline sector.

^[1] PCI Security Standards Council, PCI Data Storage Do’s and Don’ts, https://listings.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf 

Sung Chae is a QSA for Verizon Cyber Security Consulting specializing in various GRC frameworks, such as PCI DSS and ISO27001. He is based in South Korea.