Keeping a major cruise line shipshape
How we helped a travel company improve its credit card handling to help ensure PCI DSS compliance
Client
Major cruise line
Industry
Leisure and travel
Primary Goal
Protect credit card data consistent with PCI DSS standards
Technology
Microsoft Purview庐
Running a cruise line means running a tight ship in all facets of the operation. That includes the protection of customer credit card data. When an industry leader recognized that the Payment Card Industry Data Security Standard (PCI DSS) was emphasizing technological solutions to identify improperly stored credit card data, it asked 乐鱼(Leyu)体育官网 to help raise its internal discovery processes and identification technology to align with the new expectations.
The complex project involved (1) scanning cloud, shore-side, on-premises file shares within a distributed fleet (with sometimes slow and unreliable connectivity) for cardholder data; (2) coordinating with stakeholders across time zones; and (3) readying scan-related documentation for an inspection by independent reviewers to assess the company鈥檚 PCI DSS compliance.
KEY OUTCOMES
Making a measurable difference
By leveraging our strong relationship with Microsoft庐 and our knowledge of Microsoft Purview庐, 乐鱼(Leyu)体育官网 helped create a scalable and repeatable program to keep the client鈥檚 approach consistent with PCI DSS expectations. This included enabling:
- A rapid increase in capability for PCI credit card identification across cloud-based, on-premise shoreside, and on-premise shipboard data storage locations
- Tuned credit card identification technology to significantly reduce false positives and provide actionable, true positive results
- Increased employee awareness of how the new technical capabilities may affect them
- Automatic detection and blocking of emails containing credit card information
- Clear alignment with revised PCI expectations.
Client transformation journey
Click on each part of the journey to learn more about our client鈥檚 transformation.
We worked in a very accelerated timeframe, as the client had a near-term deadline. We came in with a team of over 20 people, and we got it done on time with no business disruption. We implemented the solution across a large fleet of ships, and we worked with people in multiple time zones. The client was very happy with the result, and especially happy when their auditor confirmed this work aligned with the new PCI expectations.
Adam Brand
Cyber and Technology Risk Principal
Destination: Safe shores
From refining a credit card detection solution that worked even in the middle of the ocean, to deploying it across the client鈥檚 fleet, to ensuring its smooth adoption by employees, 乐鱼(Leyu)体育官网 demonstrated the value of its close alliance with Microsoft and its winning combination of talent, experience, and scale.
Charting the course
While the goals of the project were well defined, the path to achievement was not. As the client was already a Microsoft customer with聽Microsoft Purview licenses, they decided to use Microsoft Purview for the project鈥檚 technical aspects. We proposed an Organizational Change Management (OCM) program to familiarize company employees with related changes, so they could conduct business with minimal disruption.
Our Cyber and Technology Risk group collected and evaluated project requirements to help develop our strategy. As the engagement unfolded, we provided the client with documentation and verification at each step, and we proceeded in accordance with an agreed-upon timeline. Then, when everything was ready, we held training sessions with client stakeholders to help ensure they could continue moving forward independent of our involvement.
The Purview paradigm
乐鱼(Leyu)体育官网 has deep experience with Microsoft Purview, a unified solution designed to help organizations discover, classify, and govern their on-premises, cloud, and Software-as-a-Service data. Among Microsoft Purview鈥檚 key features鈥攁nd critical to this mission鈥攁re its data discovery and classification capabilities. The platform is very configurable but requires study and situational training to learn all its intricacies.
And while the cruise line鈥檚 internal team could have learned to utilize Microsoft Purview, given enough time, the project had an immutable deadline. In four months, a solution had to be rolled out across multiple ships and offices for people in multiple time zones. Each well-known brand in the client鈥檚 portfolio was run independently, with its own operating reality and information technology systems. The 乐鱼(Leyu)体育官网 and Microsoft solution would need to work with them all.
Parallel lines
乐鱼(Leyu)体育官网 approached the project in two parallel workstreams, one focused on blocking emailed cardholder data and the other concentrated on finding cardholder data already stored. Each would unfold in three phases timed to meet the four-month project deadline.
To block emailed cardholder information, 乐鱼(Leyu)体育官网 first outlined a two-week design and preparation phase to confirm existing data loss prevention (DLP) capabilities, develop an implementation plan, and design the OCM strategy that would standardize the new way of working. Weeks three through eight were devoted to testing, piloting, and launching the new DLP policy in 鈥淢onitor鈥� mode, fine-tuning it to reduce false positives, investigating policy violations, and remediating where necessary. The 鈥淧revent鈥� mode of the project鈥檚 final three weeks saw the test and launch of the DLP policy deployment, as the client 鈥渨ent live鈥� with a solution that blocked detected credit card numbers in emails.
The company followed a similar plan for cardholder discovery and removal. To prepare, 乐鱼(Leyu)体育官网 reviewed client-identified document-storage locations and determined what it would take to actually scan the documents. It then designed scanning and remediation processes, customized and tuned the system, documented scanner implementation steps, and assisted in their deployments. Once the system was active, 乐鱼(Leyu)体育官网 continued to provide support by reviewing progress, remediating where necessary, and summarizing the outcomes. The result: Smooth sailing.
Readying the crew
Any company-wide change in procedures, policies, or processes must be introduced carefully. Employees need to be educated and prepared to handle new responsibilities and new ways of working in order to minimize the confusion and disruption that frequently attend such moves. 乐鱼(Leyu)体育官网 is known for its active role in OCM, designing communication strategies and executing them. In this case, the firm helped the client craft messages translated into multiple languages that were sent to over 40,000 employees. These emails explained the coming changes, why they were being made, and what to expect.
When credit card numbers were detected in files, they were investigated. 乐鱼(Leyu)体育官网 sent surveys to those who owned files with detected issues: Was it a credit card or a false positive? If a false positive, then 乐鱼(Leyu)体育官网 checked to see if a scanner needed adjusting. And if multiple cards were detected and associated with files or emails owned by one individual, then 乐鱼(Leyu)体育官网 spoke with them to learn whether there was an underlying business process that needed remediation. The firm was involved at both the most granular and the most overarching levels.
Into calm waters
Upon successful completion of this project and validation of the solution approach, the client is moving to deploy the solution beyond the initial set of ships and throughout the entire fleet. 乐鱼(Leyu)体育官网 continues to expand its working relationship with the client and is currently assisting in more areas of their business.
Meet the team that made the difference for a high seas leader
If you need an integrated approach to business challenges, then 乐鱼(Leyu)体育官网 can help. We have the knowledge, experience, and tools to tailor solutions that can help to invigorate growth and profitability, optimize your operations, and leverage technology to transform your business. Contact us today and let us show you how we can help you achieve your goals.
Adam Brand
Principal, Advisory, Line of Business, Products
Jim Wilhelm
Principal, Cyber Security, 乐鱼(Leyu)体育官网 US
Venoth Lal
Director, Cyber Security Services, 乐鱼(Leyu)体育官网 US
Adam Brand
Principal, Advisory, Line of Business, Products
Jim Wilhelm
Principal, Cyber Security, 乐鱼(Leyu)体育官网 US
Venoth Lal
Director, Cyber Security Services, 乐鱼(Leyu)体育官网 US
Explore more
Insight
Optimizing AI in State and Local Government | Challenges, security, and governance
Discussion on utilizing AI the SLG sector. The common myths around AI and developing an AI strategy for deployment and security.
Insight
A Focus on Cybersecurity and GenAI in Travel, Leisure & Hospitality
Discussion on cyber threats impacting the Travel, Leisure & Hospitality industry, with a focus on how organizations can prioritize their strategies and leverage GenAI to protect their businesses while enhancing the customer experience.