下载PDF
CyberArk > 实例探究 > Major Airline Makes a Commitment to PCI Compliance and its Customers
CyberArk Logo

Major Airline Makes a Commitment to PCI Compliance and its Customers

技术
  • 网络安全和隐私 - 应用安全
  • 网络安全和隐私 - 数据库安全
  • 网络安全和隐私 - 身份认证管理
适用行业
  • 运输
适用功能
  • 商业运营
用例
  • 监管合规监控
  • 远程资产管理
  • 远程控制
服务
  • 网络安全服务
  • 系统集成
挑战
The airline has a robust e-commerce application, allowing travelers to search and book flights directly from the corporate website. This airline website was ranked the fifth largest travel site and the largest airline site in terms of unique visitors (source: Comscore MediaMetrix). As a result of its online growth, the airline was acutely aware of the need to maintain compliance with the credit card data protection standards mandated by the Payment Card Industry (PCI) Security Standards Council in its efforts to ensure credit card security. The PCI Data Security Standard (DSS) industry protocol is a common set of tools and measurements that are applicable across industries to help ensure the safe handling of sensitive credit card data and the protection of cardholder information. PCI Compliance in travel and tourism is often differentiated from other industries because of the lag time between when a flight is booked and when the credit card is processed for that booking. In this scenario, the credit card information is usually stored until the travel has actually taken place, or shortly before. This practice is not allowed in a PCI compliant environment, leaving travel companies at risk for fines and under intense pressure for ensuring their databases are protected from being wrongly accessed or altered - unintentionally or otherwise. As a result of these requirements and increased exposure due to its popular e-commerce business, the airline needed a new approach to document the steps it was taking to achieve PCI compliance with auditors. In this case, that meant proving that passwords to its database of sensitive customer data (including names, credit card numbers, billing addresses and other information) were being effectively monitored, managed and changed regularly.
关于客户
This Major U.S. carrier has built a successful brand based on its commitment to maintaining a loyal customer base and creating a positive travel experience. With a growing e-commerce business and a reputation based on trust, reliability and customer service excellence, the airline faced critical PCI compliance requirements necessary to protect the privacy of its customers and business. The airline has a robust e-commerce application, allowing travelers to search and book flights directly from the corporate website. This airline website was ranked the fifth largest travel site and the largest airline site in terms of unique visitors (source: Comscore MediaMetrix). The airline's commitment to customer satisfaction and security is evident in its proactive approach to meeting PCI compliance standards, ensuring the protection of sensitive customer data and maintaining the trust of its clientele.
解决方案
For any business that processes online transactions using credit cards, PCI compliance is a significant business concern. What made it especially challenging in this case was that the airline had existing systems in place to book flights, but these systems were primarily built to accommodate bookings made through travel agents and call centers. The website was initially built as an information and branding tool, but with its evolution that featured a revenue generation application that had to access those established back-end systems, PCI compliance quickly became more complex. The IT team was faced with several security challenges including how best to manage nonexpiring database passwords associated with the airline’s back-end systems. The airline looked at several alternatives and chose the CyberArk Privileged Account Security Solution because it could handle all aspects of its emerging security and compliance requirements. The airline selected CyberArk’s Enterprise Password Vault to manage its on-line booking system’s underlying operation system, and CyberArk’s Application Identity Manager™ solution to manage and change passwords to the back-end database that stores customers’ credit card information. Of particular importance was the ability of CyberArk’s Application Identity Manager to manage risks posed by passwords hard coded within applications. Privileged application identities, those application IDs (such as AppID1) used by other applications, scripts, Windows services, batch jobs and more, represent serious threats because they are largely generic, unchanged, and if an organization is not careful, changing one password could negatively impact numerous, interdependent systems with relatively little effort.
运营影响
  • CyberArk’s Privileged Account Security Solution was initially utilized to help the airline’s IT team solve its PCI initiatives for managing shared accounts on its UNIX systems. However, the airline then saw where they could improve management of both local administrative and root accounts in Windows and UNIX environments respectively as well. One of the next phases of implementation focused on using CyberArk’s Application Identity Manager for Java-based applications and application IDs used by its on-line booking systems. The airline quickly realized CyberArk could assist with both aspects of PCI compliance: securely managing its privileged accounts on Windows and UNIX environment and being able to manage application IDs in one secure, integrated platform.
  • By utilizing one integrated solution, the airline was able to leverage the CyberArk Privileged Account Security Solution infrastructure for both initiatives, thereby easing implementation, increasing time to market and exceeding deadlines associated with PCI.
  • With CyberArk, the IT team now has the ability to effectively manage privileged accounts within UNIX, Windows and Database platforms based on policy with a secure, enterprise-ready solution at regular intervals across its technology infrastructure. Prior to CyberArk, the airline wasn’t changing passwords at all. This was because in its App2App environment, the application scripts rely on hard-coded passwords, and they knew if they changed one password, the whole script could break.
数量效益
  • Fine avoidance
  • Avoid disruptions in customer service
  • Increased security posture

相关案例.

联系我们

欢迎与我们交流!

* Required
* Required
* Required
* Invalid email address
提交此表单,即表示您同意 IoT ONE 可以与您联系并分享洞察和营销信息。
不,谢谢,我不想收到来自 IoT ONE 的任何营销电子邮件。
提交

Thank you for your message!
We will contact you soon.