What Airports Need to Know About PCI DSS Compliance to Protect Against Data Breaches


As the passenger journey evolves to become more contactless, there are instances where sensitive card payment information could be compromised. To harden these payment systems, the Payment Card Industry Data Security Standard (PCI DSS) created a set of requirements to ensure the protection and security of this data for all industries.

Especially now, when the industry is in the midst of recovery, security experts are predicting that cyber criminals will continue to focus attacks on the airports and aviation industry with the goal of accessing data. While the PCI Security Standards Council (SSC), consisting of five main payment card brands including American Express, Discover Financial Services, JCB International, Mastercard, and Visa, developed a set of standards to protect sensitive payment data over a decade ago, airports need to stay vigilant in the  hardening of their systems.

For airport executives seeking to bolster their cybersecurity efforts and ensure the safety of customers’ private and sensitive card data, Shawn Henry, Senior Systems Engineer for Collins Aerospace and a certified Internal Security Assessor, shared his insight on the importance of airports focusing on compliance.

When a passenger walks into an airport, there are many places where they may swipe their credit card or hand it to an agent, Henry pointed out. When the credit card is read, the data is then transmitted across the network to be validated and approved. If security standards are not met or have lapsed, there are many points of vulnerability that a cyber-criminal can target including the hardware system, the payment card reader, the network, and the data itself. That’s why PCI DSS requirements were developed – to secure each step in this process.

However, for many airports, this process can be costly and burdensome. Henry pointed out that to help airports meet compliance, Collins Aerospace has achieved PCI DSS Attestation of Compliance (AoC) for its cloud based common-use platform, cMUSE. This cloud-based platform helps airports meet all requirements for PCI DSS compliance. “Now, when an agent swipes the credit card, our technology encrypts the credit card data information, sends it via a VPN tunnel to the cMUSE in the cloud, where it is decrypted and sent to the airline host,” Henry explained. As a result, sensitive data is never stored and the path the data takes is always secured, meeting PCI DSS compliance requirements.

For airports, achieving this level of compliance by using an easy to integrate, cloud-based platform lessens the burden of manually updating and monitoring their systems. With security features built into the system that meet PCI DSS requirements, airports are protecting customers data, building trust, and often are ahead of the curve in adhering to new policies and regulations that emerge. And as the industry changes, that’s important because PCI DSS is a global standard that often is at the foundation of other compliance requirements.

“The cost and the headache of managing a data breach is not what airports want to be dealing with today,” Henry shared. “Being compliant with PCI DSS reduces that cost by preventing data breaches in the first place and leveraging a cloud-based system for compliance reduces the maintenance burden of the airport IT team.”

With PCI DSS 4.0 on the horizon, Henry recommended that airports evaluate current compliance activities so that the transition to the updated compliance standard is more manageable. This level of security for passengers is another piece of the puzzle for boosting passenger confidence in travel and is a factor that remains top of mind for everyone as we move through the world with a stronger sense of caution.