Mar 16, 2017 - 9:30am

Airlines’ Payment Systems Are Tempting Targets for Cyber Attack


Senior Vice President, National Security & Emergency Preparedness Department, U.S. Chamber of Commerce

General Manager, PCI Security Standards Council

istock-490451411.jpg

istock-490451411.jpg
istock-490451411.jpg

On March 2nd the U.S. Chamber of Commerce hosted an Aviation summit in Washington DC to address a range of issues related to the aviation industry. One issue particularly worrisome for the aviation industry? Cyber threats to consumers' financial information and security — both here in the U.S. and internationally.

Make no mistake about it – the aviation industry has been and will continue to be under assault from cyber criminals around the globe.  According to the International Air Transport Association (ISTA) the airline industry faces losses of $1 billion a year from ticket fraud.  When Interpol executed their sweeping Airport Action Day, they made 193 arrests in 189 airports across 43 countries involving 75 airlines.  Those stunning statistics demonstrate just how widespread the scope of this problem is and the monumental task facing the aviation industry, law enforcement and the traveling public.

The aviation industry challenges around payment security are complex.  For starters, aviation is an industry that has a large diversity of payment options and legacy system challenges.  Passengers can make purchases in person, online, with their phones, on the plane, and can purchase everything from an airplane ticket to a cocktail.  Airlines also have frequent problems such as cancelled flights, lost luggage, and unexpected diversions that can further complicate payment security.  Most airlines have very sophisticated rewards programs that keep and store sensitive consumer data that is a juicy target for fraudsters who seek to steal valuable information and perpetrate fraud, identity theft, and sophisticated phishing attacks.  Throw on top of all these issues, the international component of the aviation industry as well as the high volume of daily activity and it becomes clear why this industry is facing non-stop attacks.  Despite the multitude of attack vectors and legacy system challenges, this industry is deeply committed and moves customers and their data around the globe every day. 

Even with the enormous challenges that the airlines face, the good news is the successful attacks on the aviation industry are often the result of things we in fact, have defenses for – weak passwords, malware, spear-phishing, remote attack vectors, poor patching and SQL injection.  This means that with the proper security in place, the risks of these attacks can be greatly reduced. 

Tokenization and Point-to-Point encryption are two very powerful tools that when used properly, make payments considerably safer.  These two approaches are critical to protecting data and protecting the transfer of data.  Tokenization devalues data in the hands of criminals, making any stolen data useless and point-to-point encryption protects data while it is being transferred.  Both of these security approaches are considered best practices for securing payment data and can be of enormous value to the aviation industry.  

Prioritizing data security should be a 24/7 priority and rooted in a foundation of principles that include: 

  1. Keep the bad guys out
  2. Set up your systems properly
  3. If you must have data then protect it
  4. If you must send data then encrypt it
  5. Protect yourself against malware and other attacks
  6. Build your software properly and securely
  7. Keep access to the card data to a minimum
  8. Make sure people are who they say they are
  9. Physical security is just as important
  10. Track who goes where and what they do
  11. Test and check everything is working correctly
  12. Make sure everyone knows what is required

Data security must be viewed as a business issue for high-risk industries like aviation because security is at the very heart of their business success.  Fortunately, data security is becoming a priority boardroom issue across the global economy as businesses realize the high price of dealing with a major breach.  Breaches drive away customers, tank stock prices, lead to litigation, government investigations and can end executive careers.  By putting in place the right kind of security, companies can gain a competitive advantage in the marketplace and their executives, employees and customers can all sleep better at night.

Safe travels!

About the Authors

About the Author

Senior Vice President, National Security & Emergency Preparedness Department, U.S. Chamber of Commerce

Beauchesne is the principal spokesperson on national security and emergency preparedness issues, and is responsible for building and maintaining relationships with administration and regulatory agency leaders.

About the Author

Stephen W. Orfei, General Manager, PCI Security Standards Council
General Manager, PCI Security Standards Council

Mr. Orfei leads the PCI Security Standards Council in its mission to educate, empower and protect payment data globally, working closely with merchants, acquirers, financial institutions, security practitioners, law enforcement and other key stakeholders across the global payment eco-system.

More from National and Cyber Security