The successful introduction of the Payment Card Industry Data Security Standard (PCI-DSS) for an international Airline

By Neos IT

security, PCI-DSS, case study



Initial Situation

What is the Payment Card Industry Data Security Standard (PCI DSS) and how does a customer benefit from an implementation of this standard by an IT service provider like Neos – in this case to the IT systems of an international airline?

One way to describe the principle behind PCI DSS is as follows: If a pot of gold is kept in a secure room to which only five people have the key, it is supposedly protected against unauthorized access. However, if just one of them lets someone enter the room without authorization, then all of the safety precautions are moot. This is similar to how PCI DSS standard works, since it prescribes fixed rules for handling IT systems and their data, that are designed to protect any IT systems against outside attacks.

PCI DSS is currently used mainly by the financial sector because it is mandatory when credit card transactions are involved. In the travel industry, however, the certification is not yet widely adopted. Even the systems of one of Neos‘ customers, a world-renowned international airline, were not PCI DSS certified prior to the collaboration. To change this, and thus significantly improve the security, was the purpose of this project.

It is no secret that protecting and securing data is taking on a bigger role than ever in this present age of digitalization. Particularly sensitive customer information, such as credit card information, need special protection, but without restricting other important aspects of a company‘s business. This is precisely why Neos was contacted by this customer.



The Project

Not only were the airline and Neos involved in the project, but also IBM, the producer of the software on which the airline‘s systems run. The IBM Customer Experience Management Software Tealeaf (CEM Tealeaf), which is used to analyze and optimize customer journeys on the airline‘s booking platform, was made PCI-compliant for Neos’ client.

Neos applied the PCI DSS standard to any transaction process on the airline platform that involves sensitive credit card data. The data is passed through Neos‘ PCI DSS-compliant data center in Munich, where an algorithm removes critical pieces of the credit card information from the airline‘s servers. The result: the airline receives completely anonymized customer data. Sensitive data is thus completely unrecognizable, comparable to texts that have been blacked out by intelligence agencies as seen on TV. This allows the airline to analyse the remaining data without jeopardizing the anonymization and the quality of the customer journey data is not compromised at all.

This goal was achieved by a professional set-up of systems by Neos, that use PCI DSS best practices. All layers within the IT infrastructure, from Linux servers to CEM Tealeaf in the back end and the web browser in the front end, were upgraded to comply with PCI DSS and to ensure fully effective security.



Awarding the Contract to Neos

The Neos team had built a strong foundation of trust and a high level of familiarity with the client‘s systems thanks to its extensive experience working with this customer.

Based on past PCI DSS projects, Neos brought in a team of experts that was able to combine a wide range of specialties with PCI DSS expertise. The airline opted to work again with Neos because the IT service provider was able to guarantee a smooth implementation and the sustained PCI DSS certification of the customer‘s systems.

This included ensuring system availability during the project and any subsequent updates. Passengers were not affected as changes were made to the systems in the back end.



Specific Conditions

A very close and trusting cooperation with IBM was another prerequisite for the successful implementation of this project. A clear agreement concerning the transfer of risk was the basis of this project‘s success since all security risks had to be excluded through clear application of expertise. A clean reporting system was essential. The combination of trust and professionalism among all involved parties ultimately delivered a successful result to the customer.



How the International Airline benefits from Neos Solution

For the airline, the project has delivered significant advantages: a reduction of vertical integration and a consequent reduction in complexity for the customer who now does not have to worry about every detail, but can instead focus on its core business.

Secondly, the clear allocation of responsibilities between Neos, the airline and IBM ensures that potential security risks are identified and fixed at an early stage. Neos guarantees a secure IT environment and is required to document correct implementation of the standard. This is comparable with the operating license standard in Germany. When a consumer buys a toaster, this lets them know that it has undergone documented testing and certification. Applied to this case, the customer thus has an automatic guarantee that its application (Tealeaf) will function and be secure.

By creating a PCI DSS-certified environment, the airline‘s dependence on the financial sector is reduced because this project now allows the airline to use its own applications like Tealeaf to collect and analyse customer data, because the applications are now PCI DSS-compliant. This also results in a shorter time to market for the airline, allowing it to respond more rapidly to changing market demands.

Add to this the increase in added value, because a smaller number of external parties involved in the transaction results in lower transaction costs for the airline.

The airline‘s entire environment, in other words, all of the servers, platforms, systems, and applications operated by Neos on behalf of the airline are now PCI DSS-certified. The customer can now make this claim in their external communications. Neos only required two months to demonstrate the compliance of the systems and receive PCI DSS certification.