Tackling PCI DSS. Thoughts and Tips for Airlines.

Bergmen Consulting shares some thoughts on tackling PCI DSS, and what it means for airlines.

Complying with PCI DSS seems to be a no-brainer when looking at how impactful payment card information leakage can be on a brand. On top of dismantling the brand’s relationship with its customers, corrective actions, such as offering identity theft coverage, can be relatively expensive. 

To become compliant, a good first step is to determine which systems process and/or store payment card data, and how. This exercise can be challenging, as it requires a comprehensive map of all the systems that the airline currently uses, as well as cooperation of solution providers and in-house experts. For certain airlines, this service/app catalog may not be available – and will certainly need to be produced. Think about tools involved in the entire flow: booking, exchange and refund, checking, revenue accounting, loyalty point accrual, revenue analysis, and so on.

A PCI compliance project will often quickly expand into a program. As the airline determines –whether-- card information is protected across -- its entire ecosystem, including external solutions, remediation projects will arise. Corrective actions- can either be to modify the existing solution, replace it, or sometimes, simply decommission it. These 3 courses of action need to be evaluated carefully, taking into account costs, time, and long-term business goals. Each corrective action often turns into a project by itself, and this is when the PCI project becomes a program.

To allow the airline to successfully establish the scope of the PCI initiative, as well as its realistic timeline, associated risks, and costs, Bergmen Consulting recommends running a comprehensive discovery project first. From there, we believe the airline will have the keys to decide whether to proceed with the initiative, and also communicate realistic expectations across the organization.

It happens that the program becomes an "excuse" to undertake other projects or needs that were discovered through the execution of the PCI compliance program, but that are not required to reach the program’s goals. These projects will likely delay deliveries and introduce risks, and additional costs.

> Watch our founder and president briefly speak about Bergmen Consulting and his vision.