BUSINESS: Frontier Airlines operates 60 jets from its Denver International Airport headquarters and carries passengers to 58 locations throughout North America, including Canada and Mexico.
SCOPE: National - $1.2 billion (annual revenue, 2007)
SIZE: 5,600 employees
BUSINESS CHALLENGE: Frontier Airlines needed an effective way to manage its compliance to the Payment Card Industry Data Security Standard. This included completion of the PCI DSS questionnaires, network security assessments, and sending validation of its level of compliance to its acquiring banks.
- Qualys PCI
WHY THEY CHOSE QUALYS:
- Qualys PCI makes it possible for Frontier Airlines to validate its PCI DSS compliance with no need for outsourcing.
- Through Qualys PCI, Frontier can more easily complete its annual PCI DSS "Self-Assessment Questionnaire."
- Qualys PCI is an approved PCI DSS scanning vendor.
- Highly accurate and easy to use interface.
Frontier Airlines Shifts PCI Compliance to Autopilot
By turning to an automated, Web services-based PCI compliance solution, Frontier Airlines was able to move all of its PCI compliance efforts in-house, save time, and free much of its security budget for more strategic investments.
Frontier Airlines is no stranger to technology. This affordable-fare airline invests heavily to ensure that its operations soar as smoothly as its 60 jets. In fact, roughly 80 percent of its flights are booked online at its website, www.frontierairlines.com. Based in Denver, Colorado, Frontier services 58 cities in North America, including Canada and Mexico. Frontier, the second-largest carrier in Denver, operates about 280 flights per day, employs 5,600, and had revenue near $1.2 billion last year.
“Qualys PCI works smoothly. We didn't realise that it was possible for us to scan and assess ourselves for compliance, but that's exactly what we do with Qualys PCI. It's helped us to be even more efficient with our security program.”
IT Security Manager at Frontier Airlines
For those customers who opt to manage their travel online, the security of Frontier's site is crucial. To keep the site protected, Frontier's IT security team adheres to a defense-in-depth architecture and employs industry best security practices. A core part of those processes includes periodic vulnerability assessments of its network and applications. For years, Frontier had relied on a mix of open source and commercial vulnerability scanners to get the job done. What Frontier didn't have in place was an easy and efficient way to conduct its own quarterly audits specifically designed to comply with the demands of the Payment Card Industry Data Security Standard (PCI DSS). Failure to conform systems managing credit card payments to PCI DSS can be steep: from fines and even expulsion from credit card acceptance programs.
To meet PCI DSS compliance, Frontier had turned to the expertise of a security solutions provider and Qualified Security Assessor (QSA). But Frontier wanted the flexibility to conduct a scan whenever needed. Business technology and networks change quickly, and whenever Frontier wanted to evaluate a server or application that changed, it would have to call the QSA, schedule a scan, and pay an additional fee for each evaluated IP address. “It may not sound like a big deal, but it added additional expenses and layers of communications,” says Steve Greenberg, IT security manager.
Even more important, because the QSA relied on a different network security and compliance risk assessment platform than the vulnerability scanners in place at Frontier, the assessment reports never matched. “We had a significant consistency gap because the QSA was judging our compliance based on the specific results of its reports,” explains Greenberg. “We would resolve issues, but the results didn’t match what our QSA found. We needed to do something else,” he says.
It turned out that Frontier's QSA, like so many other solution providers, relied on Qualys PCI, to conduct accurate compliance assessments and remediation services efficiently, and report submission for clients. Initially, Frontier's security team decided to turn to Qualys PCI so that the results of their own scans would be consistent with those provided by their QSA. The benefits of Qualys PCI quickly exceeded that modest goal, and proved to be much more profound for Frontier's security team.
More Strategic Security Spending, Streamlined Scans
Qualys PCI, delivered as an on-demand Web service requires no software or infrastructure to deploy and manage. For these reasons, many Web merchants and QSAs alike turn to Qualys PCI for the most accurate, easiest way to attain turnkey PCI compliance testing, reporting, and submission. Qualys PCI walks merchants through the PCI compliance process with a streamlined three-step guided process. This process includes straightforward online completion of the annual PCI DSS self-assessment questionnaire, network security scans, and automatic submission of the annual questionnaire and quarterly assessment results that validate compliance.
“Qualys PCI works smoothly,” says Greenberg. And what further streamlines the operations for Frontier is the fact that Qualys is certified as a Qualified Security Assessor by the PCI Security Standards Council. “We didn't realise that it was possible for us to scan and assess ourselves for compliance,” he says. “But that's exactly what we do with Qualys PCI. It's helped us to be even more efficient with our security program,” he adds.
That's made possible through Qualys PCI's guided user interface and smooth workflow designed to enable merchants to achieve and maintain continuous PCI compliance. Today, Frontier's security team doesn't have to schedule and pay for PCI scans, let alone pay each time one of its hosts or servers is updated or changed. “We just fire-up Qualys PCI and get it done,” he says. “We're now using our security outsource budget for more strategic initiatives, such as high-level consulting services,” says Greenberg. “That's a much better investment for us.”
Frontier Standardizes Its Internet Network Assessments
The ease of using Qualys PCI, coupled with the accuracy it provides, proved so effective that Frontier recently chose to standardize its use of Qualys for both PCI compliance and the vulnerability management of its entire internal network. Through Qualys Enterprise, Frontier soon will attain control of its entire vulnerability management life-cycle: asset discovery, vulnerability assessments, and tracking and reporting throughout the remediation life cycle. Just like Qualys PCI, Qualys Enterprise is an on-demand solution delivered as a Web service that requires no software or costly infrastructure to deploy, and is fully managed by Qualys. “Qualys is now our primary scanner for vulnerability management,” Greenberg says. Currently, he and his team are using Qualys Express to conduct periodic assessments, but soon those scans will be fully automated. “This is really going to help us be more efficient,” he says.
Frontier had initially set out to streamline and coordinate its PCI assessments with its external QSA, but the change to Qualys PCI proved much more powerful than that. Frontier now is able to not only conduct its own PCI audits and submit results, but consolidate the number of scanners it must use and free its security services budget for more strategic investments. “Moving to Qualys has been a great decision for us,” Greenberg says.