Protecting Credit Card Information with the Right Approach to Log Management

Background

As Europe’s largest regional low cost airline, Flybe carries over 7 million passengers between 56 airports in the UK and Europe each year. Some 85% of these passengers book their flights online, resulting in vast amounts of confidential data, including credit-card information, travelling over the Internet.

The Challenge

Flybe’s customers naturally expect that the company will secure their information against unauthorised access or theft as their data travels between systems or when it is stored in Flybe’s data centre. The Payment Card Industry Data Security Standard (PCI DSS) was developed by the world’s major payment-card companies to ensure that businesses fulfill this duty with care. PCI DSS specifies how merchants must deal with card data to protect cardholders. Non-compliance carries the risk of losing the right to process card transactions.

“PCI DSS compliance is of course obligatory,” says Chris Cooper, IT Security Manager for Flybe. “But we also recognise that the standard makes good business sense. It offers sound practices that can help us operationally and protect Flybe’s reputation.”

Matthew Linsey, Flybe’s Head of IT Services, explains what this means for the company’s IT operations: “Complying with PCI DSS firstly requires us to monitor and understand events across our network so that we know what is happening to cardholder information. With more than 2,000 devices connected to our databases, the sheer volume of system and event logs they generate makes this impossible to do manually. We need automated technology to help us collect, process, analyse, audit, respond to and report on these thousands of logs.”

“And crucially,” adds Cooper, “this technology needs to be highly scalable, because we never know when and how the company will grow.” For example, the company experienced a step-change in the number of online transactions when it acquired UK airline BA Connect in 2007; and again when it took on the Loganair franchise in 2008. “We may have to accommodate significant increases in activity within a space of weeks,” says Cooper.

Solution selection

When Flybe turned its attention to PCI DSS, the company was already well on its way to choosing a solution for security information and event management (SIEM), as Linsey explains: “Before PCI DSS, there were many other good reasons for gaining control of the masses of information our systems generate. Effective log management can give us the understanding to improve operational effectiveness and lower overheads. And it’s central to security in general, not just in relation to PCI DSS.”

In 2006 Flybe evaluated several SIEM offerings and quickly realised that RSA’s enVision™ platform was the right solution. “It scored very highly on ease of use, integration with our IT infrastructure and scalability,” says Cooper. “By gathering log information from across our business, enVision technology is designed to help us obtain a comprehensive analysis of network activity. It automates report production, which we can tailor if we need. And it raises alerts in real time to help us respond to events that might present a risk to cardholder information.”

Implementation

Flybe needed a partner with a proven track record to help it implement the RSA enVision platform. It chose Gradian, which has been an accredited RSA partner for more than five years. Damian Acklam, Managing Director of Gradian, says: “We were one of the first accredited partners for the RSA enVision platform and one of the first to use the appliance in-house. We’ve helped several tier-1 and tier-2 merchants with implementations of the enVision platform. This expertise puts us in a strong position to share best practices in PCI DSS compliance and help organisations like Flybe deliver real business value with the solution.”

Flybe’s Linsey agrees: “Implementation was absolutely smooth. Everyone we’ve worked with has had an in-depth understanding of what we want to achieve. I can honestly say the relationship between Flybe, Gradian and RSA is strategic, not just during pre-sales and deployment activity but for after-sales support as well.”

Results

The enVision platform has given Flybe total visibility and control over network activity. For example, if an employee adds a new application to the network, an alert is automatically sent to the IT department, which can then investigate its authenticity and implications for customers’ confidential information.

“The alerts let us respond more quickly to potential problems and reduce reactive firefighting,” says Cooper. “With the RSA enVision platform, we have the time and information to be more proactive and to prioritise our activities towards PCI DSS compliance. And the automated, yet tailored, reporting enables us to respond to business objectives – not just comply with auditing processes.”

Linsey concludes: “We now have a firm foundation from which we can move forward more quickly with other elements of PCI DSS compliance. For example, we’ll be working with Gradian on laptop encryption to secure data used by our mobile staff, and on network intrusion detection. Getting our logs under control was a prerequisite for all this, and the RSA enVision platform has proved to be the right tool for the job.”