McAfee Helps ARC Stay PCI-Compliant While Processing $80 Billion in Travel Expenditures Annually

Airlines Reporting Corporation (ARC) provides financial services, data products and services, ticket distribution, original travel solutions, and settlement services to the travel industry. More than 170 airlines and railroads, as well as travel agencies, corporate travel departments, and other travel suppliers, process more than $80 billion annually through ARC’s world-class e-ticketing and settlement system — making it the financial backbone of travel distribution in the United States, Puerto Rico, the U.S. Virgin Islands, and American Samoa.

PCI compliance drives need for industrial strength data loss prevention
“As a PCI Level One-Compliant company, we need to make sure that no credit card information leaves our network,” says Jim Fallon, Security Manager at ARC. “We have rules on our email gateways to stop emails containing credit card information from going out, but a single solution is never 100 percent successful.” Consequently, ARC began looking for a better way to monitor credit card data and other personally identifiable information (PII) entering and leaving its networks.

Appliance-based DLP solution much easier to manage
After looking at several solutions — and realizing that most are focused primarily on data loss at the desktop — ARC narrowed its search to two vendors that provided network-level protection. ARC decided to go with a McAfee Network Data Loss Prevention (DLP) solution (formerly Reconnex iGuard). “We liked that this McAfee solution is an appliance, which is much easier to manage and maintain than software,” says Fallon. “Its policy setting options are also much more versatile than the other main contender.”

Immediately after ARC implemented McAfee Network DLP, it detected some obvious policy violations. After about three weeks, Fallon and others in security operations were able to sort out false alarms and have a thorough understanding of all the information Network DLP provided.

Within Network DLP, Fallon set up incident categories, such as credit card numbers and social security numbers, which he or other security staff review two or three times a day. In most cases, they can tell instantly the who, what, where, and when of any data movement that needs investigation by looking at the category’s incident log. “Incident management is made easy and is complete,” says Fallon.

Quick detection of and response to data at risk
“With McAfee Network DLP, we can tell right away if someone in the company is doing something inappropriate with our data, and then act promptly to remedy the situation,” says Fallon.

McAfee Network DLP even saves ARC employees from themselves. “One time the system detected an employee logging onto an unsecure financial site and paying his mortgage and other bills,” says Fallon. “He was not happy when we showed him we could see his username and password. He didn’t realize he was doing something unsafe.”

"With McAfee Network DLP, we can tell right away if someone in the company is doing something inappropriate with our data, and then act promptly to remedy the situation."

Jim Fallon
Security Manager, Airlines Reporting Corporation

Flexible, granular policy setting for data monitoring
The ability of Network DLP to specify exceptions to policies and set multiple policies, rather than a one-size-fits-all approach, saves ARC significant time and hassle in analyzing captured data. For instance, ARC enters exceptions for the test credit card numbers provided by credit card companies — numbers, that look like real credit card numbers but aren’t. Eliminating these numbers from the captured set reduces the number of incidents that need reviewing.

To comply with the contract requirements of some of its clients, ARC has to ensure that these clients’ names are not mentioned in any outgoing email messages. “We simply enter these agencies’ names in the system to flag any outgoing messages containing them,” says Fallon.

Monitoring data at rest as additional safeguard
ARC also uses Network DLP to monitor data at rest to ensure that credit card numbers and other sensitive data are not being stored in an unsecure manner. “We simply point the appliance at the network file shares and tell it to look for specific types of data that should not be there,” explains Fallon. ARC uses some of the solution’s built-in algorithms to search for credit card numbers — policies more sophisticated than simply capturing strings of 14 numbers.

In the future, ARC also plans to use Network DLP to help with file retention policies. For instance, the solution could be instructed to find all Microsoft Word documents in a file share that were created more than two years prior and delete them. Being able to find and delete sets of information will save on storage space as well as legal discovery costs.

Two layers of DLP
ARC is also in the process of deploying McAfee Host Data Loss Prevention (Host DLP) on its desktops as an added layer of DLP protection. “We look forward to the integration of Network DLP with the McAfee central management console, ePO, so that Host DLP can share tags and ‘learn’ from Network DLP,” says Fallon. “Integration will also reduce the DLP footprint, increase visibility across networks, and make it easier to apply policies.”

Integrated endpoint protection
While searching for network data protection, ARC also began looking for a better anti-virus solution. The company chose McAfee Total Protection (ToPS) for Endpoint—Advanced, in part because it was impressed with the solution’s central management console, McAfee ePolicy Orchestrator (ePO). After deployment to the first 50 machines, the McAfee software deleted 1,000 spyware cookies and a few viruses that the previous solution had not caught.

ARC plans to deploy all the ToPS-Advanced features over a six-month period, starting with antivirus protection, then host intrusion prevention, network access control, and policy auditing.

Summary
Complying with PCI is an absolute imperative for ARC. “We expect McAfee to play an increasing role in our ability to not only stay PCI-compliant, but also to protect our customers and our business down the road,” concludes Fallon.