Cindy Allen
Travel technology firms GDSX and TRX this month separately announced compliance to the Payment Card Industry Data Security Standard as set forth by the PCI Security Standards Council founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. The multi-faceted payment standardsare designed to protect cardholder data from all involved in storing, processing or transmitting it--from the merchants, financial institutions and card processors to such service providers as travel technology and data management firms that "touch" passenger name records in which payment data is stored. Card brands have mandated compliance to the standards and, depending on the risk, outlined quarterly and annual verification by self-assessment or audits by qualified firms. Cornerstone Information Systems, an agency automation provider like GDSX and TRX, also is PCI-compliant, according to marketing senior vice president Alan Minton. Minton noted, "We view it as a basic requirement to conduct business; I would think companies [would] require their technology providers to meet this standard." Cornerstone uses software to manage its compliance and periodically undergoes audits ordered by its customers. GDSX and TRX said they hired qualified security assessors to conduct independent audits, the requirements for which include security management, policies, procedures, network architecture, software design and other critical protective measures. Management.traveltalked to GDSX COO Cindy Allen to learn more about what her firm learned from the PCI certification process, which took two years and involved significant internal and external resources. Allen said compliance is to be monitored annually, with some checks performed quarterly. An excerpt follows.
As a third-party, can you explain how the PCI security standards applies to you?
We handle customer data, and everything flows through a hosted environment. We touch the PNR, and credit card [numbers] can be stored in remarks and all kinds of crazy places in the PNR. The travel management company might not be aware that they're passing it through or they might be intentionally passing it through. Regardless, most of the time when our [customers] have to answer a request for proposal or information, they need to check a box that asks, "Are you and all of your vendors that may touch our data PCI-compliant?"
What processes have you changed as a result of the compliance process?
We've changed our approach to many, many things. We've given customers a structured way to be more secure, yet still accomplish any goal. If a client needs credit card numbers, they can define that as a data element to export into their back-end reporting. In our system, [the card number would be masked and display as] just a few numbers at the beginning and end; numbers in the middle would be missing. This gives them enough to figure out which credit card a transaction is supposed to go with, but not enough [to cause harm] if somebody were to maliciously get hold of that data. We are in a unique scenario, not only from the data, but also from the control perspective. Part of what sets us apart from other quality control options is that our Compleat tool is one that empowers customers to get creative--the sky is the limit--with the product. A lot of what controls data flow is actually intellectual property owned by the customer and process-owned by the travel management company, not by us. So [our process review] was striking a delicate balance to figure out how to maintain that freedom to empower the customer to do whatever they want, yet have the structure to secure data. Finding that blend was probably one of the most significant challenges.
What did the certification involve?
We hired a QSA, Jefferson Wells. It was actually a great experience with them; we were very impressed with how they took an advisory role and gave us information. A couple of clients recommended them. We actually went through the process of reviewing and going to contract with more than one QSA to do the initial assessment. Other vendors were more about just the standards. We were happy with Jefferson Wells' approach: it was problem solving and teamwork. They really strove to understand scope right way. They wanted to understand what we did and were great about make suggestions.
Why did the certification take two years?
We did a lot of rewriting. Because it's the toolkit, designed essentially to empower the customer to do whatever they want, we rewrote much of our systems so customers could still have the freedom to accomplish what they wanted to, but gave them different ways to get to the same endpoint. If it was just our internal team, the timeline could have been different. But it wasn't; it was us and every single one of our customers. All of that had to be reviewed and certified to be in a secure way. Some of our customers have written thousands of [automated workflow] routines.
Is your role now one of a gatekeeper to ensure that clients don't compromise data security of cardholders?
It puts us in the role of guardian angel. Our customers can create and activate routines on rapid schedules if they want. Maybe they've done 95 percent of a project, or had something in production for a year. If they come to us and ask us to make [a routine] extra super-duper by adding an extra 5 percent and we realize that there are things in there that really aren't according to policy, we immediately have to step in now. We have to say, "This isn't compliant to the standard; here's what we need to do to rectify the issue. We can either turn it off or fix it." We're still going to allow customers to develop and implement as quickly as they can and want to, but if we run into issues, we'll work with customers to remediate concerns. Now we're not just in charge of change management for our internal development, but for our customers as well. You can imagine the review process now applying not only to your team, but also to all your customers! That's a big piece of what's new.