tavisca recently got its travel platform certified as PA-DSS compliant. We thought that as a travel business owner with an online travel business or waiting to take it online, PCI compliance assumes greater importance. We decided to present a feature in form of an interview to let you know more about the topic. Do take some time to read it.
Jagminder Sehrawat (JS) heads the professional services team at tavisca, with 60+ engineers working on product customization, enhancements, business optimization, production environment issues, general support and maintenance. He, and his team, gets to directly deal with the real challenges that the online travel industry and its solution providers face. Ameya Gholap (AG), a Product Manager at tavisca talks to Jagminder about the 4 month long drive to meet PA-DSS compliance requirements. As he digs deeper, he realizes how rewarding this whole exercise has been for the product and how it has escalated the product to a new high.
AG: At the beginning of this compliance exercise, all I could hear were the action items planned for PCI compliance, on high priority. How did it all start?
JS: About a month ago, we were in the process of collating all our work done for compliance procedures and preparing a final submission to the auditor. So yes, that explains why the air was full of action items closing the PCI phase. As to, how did it all begin? Well, it was driven by multiple reasons.
PCI compliance for the product has always been on my mind for quite some time now. My thought was re-enforced when I realized my credit card credentials have been compromised. I was billed about INR 75,000 (USD 1300 approx.) in two days over suspicious transactions originating in Africa. The credit card company escalated the anomaly to me and I reacted in time. But it dawned on me that there is a bigger leak than we know of. If my credit card, used for a very few internal product testing cycles, could be hacked, it could happen to anyone. That was a very uncomfortable feeling to have.
Fortunately for the company and the product, in the past 4 years of the history of our product development and deployment, a fraudulent transaction of this magnitude has been unheard of. We have hosted environment across continents and thefts of such magnitude have not been experienced. We have a good fraud detection system in place already. That alerts well in time. Unfortunately, the prevention part of fraud is nobody’s game.
It was about time we considered adopting PCI.
AG: But then, the plans, resourcing, all got re-prioritized. How did you handle the changes and its impact to development lifecycles?
JS: We are a bunch of smart people here. No, seriously. It was easy to pick a few people from expert groups across the company. Educate them on what security levels we intend to induce into the application. And they were pretty much by themselves to go and run with it. We have separate function teams which own different components of the application. That also made it easier, because compliance like PA-DSS, cuts through the application on all levels and is not a regional problem to be solved. It did impact our core product backlog items. But we did not compromise on customer commitments. We built lesser features from our own wish list but made sure we delivered PCI PA DSS compliance to our customers.
AG: Did we consult anyone to help us with the audit? Considering this exercise was new for us?
JS: If you ask me, audit has never really been the focus. Audit only tells us how close we are to the compliance. Non-compliance aspects show up, obviously. In that respect, PA-DSS/PCI is very clear on its requirements. And has specific guidance on what is needed and how you can verify it. We did start with a local vendor who kind of gave us pointers on how to begin with this exercise. They visited our office frequently, reviewed a lot of our code. There are dedicated tools to do that, by the way. Very costly tools that scanned the code from a PCI compliance perspective.
AG: Then, what happened..?
JS: You don’t know how well you can swim, unless you dive into deeper waters. That’s what happened to us. We did what the consulting company told us to do. And then we had our first audit and that was a very interesting time. We learnt so much about our own product, in a good way of course. We had a lot of findings. The auditor patiently, critically, pointed out all to the gaps from the PCI’s expectations perspective. We took some time to close all the gaps, produced the missing artifacts and presented them to the auditor.
AG: Could you please elaborate on the specifics of PA-DSS? What is it really? And then, what’s PCI?
JS: PA-DSS is certification for the application majorly dealing with security of financially sensitive data and securing user profiles. It guides you on proper management of aspects such as password policies, complexity & history of password renewal, credit card information storage, key management system and key rotation schemes. It also scrutinizes the way we store our supplier credentials, our XML configurations. All such data should be encrypted.
- From an online travel booking application perspective, it also requires us to stay methodical and restrictive in our procedures when we add a new supplier to our booking engine.
- The specification also states that the system must maintain an audit trail of all administrative actions e.g. change of password, change in fare markup, editing personal profile information and so on.
- To add to that, the compliance requires the system to be able to ship the logs to a standard platform in a standard format like “syslog”.
AG: Since the platform caters to both B2C and B2B businesses in online travel, we handle a lot of money transactions, channelized through different affiliates and agents, with information pertaining to their banking accounts and credit cards etc…
JS: Yes, all of it had to be secured. At some levels, we needed fundamental changes to the way we maintain and carry forward sensitive data. I am not referring to technology security, our web servers are already secured by certificates. But things like storing CVV is not permitted anymore. Not until we have our infrastructure also in place e.g. moving to enterprise cloud systems like what Amazon provides would help us a great deal.
So that’s where PCI comes into play. We have been audited for PA-DSS today, and the day our infrastructure complies with PCI standards, we would be evaluated on those grounds as well.
AG: Did we ever guess that this activity would turn out to be such a large task?
JS: Actually, we have taken much lesser time than we envisioned. The impact seemed so large, but thanks to the way our systems are already segregated by purpose, it has become a lot easier to tackle one compliance requirement at a time. But fact remains that compliance is a challenging task and for travel business owners today it is very important that they choose platform which has gone through this compliance process and have gained significant knowledge of what PCI compliance constitutes.
AG: So how did it feel when we actually become compliant?
JS: It felt great and there was a tangible feeling of our customers being protected better. PCI /PA-DSS compliance was a long and costly activity but with the right technology people around it can be done efficiently. And it’s a must-have if you plan to stay in the online travel business.
AG: And how did it impact sales, both for us and our customers?
JS: Oh yes, it definitely gives us an edge over our competition. And in turn it gave our customer’s sales teams a differentiator. We have customers with diverse business models including OTA and B2B host agencies. Our customer’s sales team should be definitely happier as they have a platform that promises better security to consumers and affiliates.
AG: So what’s next?
JS: The product and its components are audited for a specific version. The audit needs to be done annually. But as online booking applications develop and add more functionality get added (online travel business require new business functionality frequently) staying compliant is a continuous process. PCI PA DSS compliance is first and foremost a question of being dedicated to keeping your application continuously compliant. You need to keep working at it and it should not be reduced to an annual activity
My parting words would be that in online travel business, investing in PCI PA DSS compliant technology is not an option but a must have…
travelnxt Platform is PCI certified, as on March 2013
Contact Sales to schedule a Product Demo
Some Important Terms
PA-DSS: The Payment Application Data Security Standard (PA-DSS), formerly referred to as the Payment Application Best Practices (PABP), is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aims to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN. In that process, the standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI DSS)
travelnxt: Having a flexible & rich platform is need of today’s travel business. The brands, markets, suppliers & offerings need a constant change to stay ahead of the pack & stay current. travelnxt platform is created out of many years of experience in travel domain & technology in order to help our Clients grow their business without overhangs of “technical challenges” and of course costs. travelnxt is a comprehensive booking engine platform addressing the consumer, business and operations needs of B2B, B2C and B2B2C online travel companies. travelnxt comes with multiple integrated add-on solutions, which cover the complete business enterprise need without the worry about consistency of data, integration and experience.