Transcript of a sponsored discussion on how security technology can lead to a better posture maturity and then ultimately to cultural transformation and many added business benefits.

1. How Allegiant Air Solved Their PCI Problem and Got a
Whole Lot Better Security Culture, Too
Transcript of a sponsored discussion on how security technology can lead to a better posture
maturity and then ultimately to cultural transformation and many added business benefits.
Listen to the podcast. Find it on iTunes. Get the mobile app. Sponsor: Hewlett
Packard Enterprise.
Dana Gardner: Hello, and welcome to the next edition to the Hewlett Packard Enterprise
(HPE) Voice of the Customer podcast series. I’m Dana Gardner, Principal Analyst at Interarbor
Solutions, your host and moderator for this ongoing discussion on IT
Innovation -- and how it's making an impact on people's lives.
Our next security innovation and transformation discussion explores how
airline Allegiant Air solved their payment card industry (PCI) problem, and
got a whole lot better security culture to boot.
When Allegiant needed to quickly manage their compliance around the
Payment Card Industry Data Security Standard, it embraced many
technologies, including tokenization, but they've also adopted an improved
position toward privacy methods in general.
Here to share how security technology can lead to posture maturity -- and then ultimately to
cultural transformation with many business benefits -- we're joined by Chris Gullett, Director of
Information Assurance at Allegiant Air in Las Vegas. Welcome, Chris.
Learn More About Safeguarding
Data Throughout Its Lifecycle
Read the full Report
Chris Gullett: Thank you, Dana. I’m looking forward to this discussion.
Gardner: Let's begin at a high level. What are the major trends that are driving a need for better
privacy and security, particularly when it comes to customer information, and not just for your
airline, but for the airline industry in general?
Gullett: The airline industry in general has quite a bit of personally identifiable information
(PII). When you think about what you have to go through to get on the plane these days,
everything from your whole name, your date of birth, your address, your phone number, your
flight itinerary, is all going in the record.
Page 1
Gardner

2. There is lot of information that you would rather not have in the public domain, and the airline
has to protect that. In fact, there have been a couple of data breaches involving major airlines
with things like frequent-flyer programs. So, we have to look carefully at how we
interact with our customers and make sure that data is incredibly
safe. We just don't want to take the brand hit that would occur if
data leaked out.
Gardner: At the same time, we’re enjoying much better benefits by
attaching more data to transactions, to process; we're able to cross
organizational boundaries. And so, the user-experience benefits of having more data are huge.
We don't want to back off from that, but we do want to be able to make sure that that data is
protected.
What are some of the major ways we can recognize the need for better data uses, but keep it
protected? Can they be balanced?
Technology fronts
Gullett: The airline industry is moving forward on a lot of technology fronts. Some airlines,
for example, are using mobile devices to welcome specific customers on board with a complete
history of how good a customer they are to that particular airline, so they can
provide additional services in the air.
Other airlines are using beaconing [location] technologies, which I think is
kind of cool. If you have a mobile app on your phone for the airline and you're
transiting through the airport, how cool is it to know where you are and how
long it's taking you to get through security. So, the airline might adapt at the
gate as to whether there are going to be problems or not in boarding that
particular plane.
There are a lot of different data points that are being collected and used now with different
airlines handling them in different ways. In any event, the need for privacy is important,
especially in the European Union (EU), which has incredibly tight data-privacy protection laws.
Gardner: We've talked about that on this podcast series. Now, the answer isn’t just the old
thinking around security, where we'll just wall it off, or we'll use as little data as possible.
Instead, we need to have more data in more places -- even down at that mobile edge.
So, as we think about ways to accommodate our need for more data in more places, even
everywhere, is there top-level thinking that goes along with being able to make the data private,
but also usable?
Gullett: That's the balancing point. Everybody wants their data everywhere. Before, a data
center protected data inside the tight little confined, hardened shell you used to have, a perimeter
Page 2
Gullett

3. with a firewall, and things like that. But we need data out to the edge where it's actually being
consumed; that’s what has to happen these days.
Some airlines are putting consumer PII right in hands of the flight attendant on the plane. At
Allegiant, for example, we're using mobile devices to accept credit cards on the plane. We're
experimenting with a number of different technologies that fall into a category of Internet of
Things (IoT), when you think about them. What they all have in common is that they're outside
any possible perimeter.
So, you have to find a way to make every device have its own individual perimeter, and harden
the data, harden the device, or some combination of the two.
Gardner: Let's hear more about your particular airline. Tell us about Allegiant Air and what
makes it unique in the airline industry.
Regular profitability
Gullett: At Allegiant, we're up to 54 consecutive quarters of profit, which is unheard of in the
airline industry. The famous phrase about the airline industry is, “How do you become a
millionaire? You start with a billion dollars and you buy an airline.”
The profitability of airlines has been much in the news over the last couple of decades, because
it's cyclical. Airlines fail, go into bankruptcy, or consolidate. There's been a lot of consolidation
in the United States, with United taking on Continental, and Delta taking on Northwest as
examples. Southwest taking on AirTran is another. Everybody has been in the game.
Allegiant is kind of off on its own. We've found an interesting niche that has very little direct
competition on the routes that we serve, and that is taking vacationers to their favorite vacation
destinations.
We connect small- and medium-sized markets -- markets like Kalispell, Montana or Indianapolis,
Indiana, a medium-sized city. We'll take them to Florida, Las Vegas, or Los Angeles. We have
about 19 vacation destinations now. We have about 115 cities overall. In fact, we serve more
cities than Southwest, if you want to get a comparison on the size of the route map. And we're
also taking the charter operators to three different countries in the Caribbean.
We have quite a different footprint. That adds up to about $1.3 billion in revenue a year, and
from a profitability standpoint, Allegiant is regularly recognized as one of the most profitable
airlines in the world.
Gardner: It sounds like most of your passengers, perhaps even all of them, are vacationers, not
business travelers. Does that change anything when it comes to user experience, privacy, and
data security?
Page 3

4. Gullett: It doesn't change anything as far as the need to protect the data, but it puts a greater risk
of brand problems concerning data breaches.
Consider the fact that our average customer flies with us once or twice a year. They are, in many
cases, flying Allegiant, rather than driving to their vacation destination. Or maybe they're taking
a vacation they wouldn't have otherwise because of Allegiant's low prices.
So what you have is “not-frequent travelers.” In fact, that would be kind of a name. If we were
going to have a frequent-flyer program it would be the “not-frequent-flyer program,” because
vacationing people just don't fly as frequently.
If I'm a business traveler, I am on so-and-so [airline], and they had a breach, I'm going to
continue to fly them because I have marvelous status with their frequent-flyer program. Allegiant
customers say, “Gee, I'm a little concerned about that and if they have a data breach, I think I'll
drive instead.”
So the brand damage from a breach, I believe, is higher for our airline than some of the other
airlines out there.
Everyone's responsibility
Gardner: Given how important it is to your business, to your brand, how do you rationalize
these approaches to security to the larger organization? I know that's probably not as prominent a
problem as it used to be, because we can see directly the business implications of security issues.
But how do you make security everybody's responsibility? Is that something that you have been
trying to do?
Gullett: First, we're very lucky at Allegiant to have incredibly broad support from the C-suite
level and the board of directors for our security program. That's not a benefit that every company
has, but we do, and it certainly makes life easier in developing the procedures and processes, and
the technologies, necessary to protect our customer data.
We came into the business at Allegiant with the idea that we have the typical triad of people,
process, and technology to deal with in the information security program -- the three legs on a
stool. If you miss one of those, you are going to be on your butt on the ground because the stool
isn't going to work very well.
We focused on technology and process early on, because those were the easy things. Those were
the low-hanging fruit. We've really moved into more of a stage of being people-focused now. In
fact, much of our budgetary spend is on security awareness for our people.
We really had to look at how we best introduce security awareness to the entire company, and to
make the company more culturally sensitive to information security. That extends from the
Page 4

5. customer service agent who's checking you in at the ticket counter all the way up to the board of
directors.
The [security leadership] has certainly chimed in and made our board more aware of problems
concerning information security. Recently U.S. Senator Edward Markey (D-Massachusetts) has
also introduced legislation that specifically targets cyber security in the United States domestic
airline industry.
That need to protect the data has to be recognized, and the most important part of protecting the
data is the people that are handling the data. Awareness is really a big part of our program now.
Gardner: How did PCI-compliance form a trigger for your organization? What did that change
mean for you, and maybe you could explain how you have gone about it at the process, people,
and technology levels?
Compliance requirements
Gullett: Well, god bless compliance, because I think I got my first information-security job
thanks to an auditor telling someone that they needed an information security guy because of
Sarbanes-Oxley. And I joined Allegiant because of PCI. These various compliance regulations
have certainly done wonders for the job market in information security. I can only imagine what
it’s like with the data security and the EU General Data Protection Regulation (GDPR).
But, in regards to our travel into the world of PCI, Allegiant is also a unique airline in that the
software that runs through the airline, the applications that run the airline, are proprietary. We
actually write that ourselves. We have a large development staff and every aspect of the
operation of the airline is run by custom software that we control and we write.
There are a lot of benefits to that because it allows us to be very agile and flexible if we want to
make changes, but there is a downside. Some of the code dates back to the green screen days of
the 1990s, and that code was going to be very difficult to bring into compliance from a PCI
standpoint. It was just not written with security in mind, and while it wasn’t directly handling
credit-card data, it was in the process scope.
Learn More About Safeguarding
Data Throughout Its Lifecycle
Read the full Report
A big concern was how we were going to ever bring a significantly non-compliant custom app
that would take a great number of application-developer hours to bring it up to snuff and still
meet a relatively tight schedule for becoming PCI-compliant. And so, at the time we looked at a
number of different products out there and we thought, well, we can't solve every problem right
now. So let’s bite off small chunks and we'll take care of that.
Page 5

6. The first thing that looked like it would be fairly easy to do, or at least straightforward from a
technology standpoint, was tokenization. And so, our search was, how can we tokenize the cards
that we are storing. And that led us to stateless tokenization. We compared a number of different
products, but we looked at HPE [Secure] Stateless Tokenization, and that was ultimately our
choice for tokenization.
Interestingly enough, while we were on our search for what the best tokenization product was, I
happened to read a press release on a website that talked about format-preserving encryption as a
new technology that was going to become available -- and that actually became HPE SecureData
Web. We found that by accident; it wasn’t even a product that was available at the time. It was
going to be targeted at card acquirers, and we actually had a hard time convincing the sales folks
to sell it to us as a different type of end-user.
That solved our application problem because it allowed us to encrypt the data that was passing
through those legacy apps. Between the tokenization and the format-preserving encryption (FPE)
SecureData Web product, we were able to dramatically reduce the overall scope of PCI data, and
that finally led us to become compliant.
Gardner: Now, this sounds like, with custom apps, it could take months, even quarters. How
much time did it take you, and how important was that to you?
Gullett: The time to implement any application that is outside of what we develop ourselves is
always a concern, because that takes our developers, who now have to serve as integrators, off of
projects that might lead to higher revenues for the airline or to solve a problem or offer a feature
that the airline would like to do. And we're very focused on improving the overall business.
We found that the overall implementation of the HPE products was very efficient. In fact, I think
we had one-and-a-half full-time equivalent (FTE) application developers on the project. It took
them about three months, and that was integrating with multiple payment-card interfaces. I think
we started at the end of October and we went live at the end January. So it was pretty lightweight
from the standpoint of integrating significant products into our ecosystem.
Stateless tokenization
Gardner: Secure stateless tokenization can often take organizations like yours out of the
business of storing credit card information at all. You're basically passing it through and using
various technologies to avoid being in a position where you could have a privacy problem. Was
that the case with you, and did you extend that to other types of data?
Gullett: That was one of the marvelous parts of bringing the system online as it did take us from
storing many, many millions of credit card numbers down to absolutely zero. We store no
payment card numbers at this time. Everything is tokenized. The card data comes into our
internal payment process and the system can send it off to the card acquirer to determine whether
Page 6

7. it should be approved or denied, and it’s immediately tokenized. So that has been a real win for
the company -- just much less to worry about from the card standpoint.
Now from the standpoint of how we can encrypt or protect other data, we're looking at a number
of possible scenarios now that we have gotten past the PCI hurdle. For example, while we don’t
fly internationally with scheduled service, we do handle the charters for other companies. At
some point, the company may well fly to international locations, and we will be collecting
passport numbers. That would be the kind of thing we would also look at, in effect using some
type of format preserving encryption, so that we're not storing the actual data.
We've gained a lot of experience with the product over the last three years and that’s going to be
a fairly easy implementation that will offer a great deal of protection. But we can also extend that
out to customer names, birth dates, and all kinds of different things and we are looking at that
now.
Gardner: The HPE SecureData Web and the Page-Integrated Encryption are being used by a lot
of folks for the webpage, of course, the browser-based apps, but that also can provide a secure
way to go to mobile. Many people are interested in the mobile web, not necessarily just native
apps. Is that something you have been able to use as well? The SecureData Web as a way to get
to the mobile edge securely?
Gullett: We do use SecureData Web in our mobile applications. We've been using it since we
initially integrated the product several years ago. In fact, that was one of the data points that we
had to protect from Day One. So we have the app going out to the Internet, grabbing the one-
time encryption key and encrypting that data in the application itself on the mobile device, on the
Android device, the Apple device, and then sending that encrypted data back to our payment-
processing system, passing through any systems in the middle as an encrypted form.
We also have a subsidiary that it is not directly airline-related that is also developing a payment-
processing app for the business space it works within. Because they're developing a true native
application for iOS, they're going to be developing with the SecureData Web SDK that’s been
released for mobile devices, which will certainly be much easier.
Gardner: Chris, we hear a lot of times that security is a cost center, that people don’t necessarily
see it as a way of bolstering business value or growing revenue streams. It sounds like when you
can employ some of these technologies, create a better posture, it frees you up, it makes you able
to innovate and transform. Has that been the case with you? Can you point to any ways in which
you've actually been able to increase revenue? I know that for airlines it’s a fairly tight margin on
the travel, but some of those ancillary services can be a make or break; is that the case here?
Unbundled travel
Gullett: Allegiant is a leader in what we call unbundled travel; we would rather sell you
exactly what you want. When an airline says that they offer free bags, for example, they're not
Page 7

8. offering you free bags. It does cost to put those bags in the hold, to put those bags in the
overhead and carry those bags on the plane with you. There is weight, and then that costs fuel.
So, there is an expense associated with every aspect of your travel on an airline today; that’s just
the way it is.
Allegiant’s unbundled services allow us to say to a traveler, “Well, sure, if you want to get on the
plane and you want to bring something and put it under the seat, we'll sell you a seat on the
plane. If you want to bring 40 pounds of baggage to put in the hold, we'll charge for that,”
because not everybody wants to bring a 40-pound bag to put in the hold.
The thing about Allegiant with its proprietary application that runs the airline is that if we see an
opportunity to offer a new service to the customer or a new ancillary service to the customer, we
don't have to go to a third-party and say, would you please add this so we can offer this feature to
the customer; we can just do it.
At the time, we were worrying about PCI compliance and how we were going to accomplish PCI
compliance, we also had a project to begin charging for carry-on bags, the bags that go up in the
overhead. We could either spend a lot of time retrofitting the legacy app for PCI or we could
spend time generating revenue by offering this new feature to the customer that they would be
charged for carry-on bags up in the overhead.
The seats on the plane, everything associated with the airline, have a very quick expiration date.
When the plane takes off, an empty seat has no value and it will have no value ever again. When
a seat takes off empty, we can’t sell that person a Coke, we can’t sell them a bag, we can’t sell
them a [rental] car, we can’t sell them a hotel room; that's gone forever. So, speed to market is
incredibly important for the airline industry and it may be more important for Allegiant.
In the case of our travails on PCI and how we were going to solve our PCI-compliance issue, we
wanted to be able to add this feature to charge for carry-on bags. So now you have a choice. Do
you spend a lot of time integrating and cleaning up legacy apps for PCI? Do you move ahead
with something that could bring in millions of dollars in revenue? The answer, of course is that
you have to be compliant with PCI. So, we have to do that first.
The fact that we were able to implement the necessary controls with the HPE products in about
three months, with about one-and-a-half FTEs, meant that other application developers could
spend time on that carry-on bag feature in our software, allowing us to go to market with that
sooner than we would have otherwise.
Now, if you look at the fact that we went to market three months earlier than we would have
normally, if we had spent three months of stopping everything to do nothing but PCI compliance.
Instead, we were able to use that time to develop carry-on bag charging services, that is millions
of dollars that would never have been captured in any other way, because it expires, it’s gone.
Once the plane leaves the ground, you can’t charge anymore.
Page 8

9. So there was a real delivery to the bottom line as far as a profitable feature was concerned by
being able to roll out that carry-on bags feature sooner. We had a much easier, quicker, and lower
resource-intensity standpoint ability to integrate, using the HPE Security products.
Where next?
Gardner: So going back to our opening sentiment around the fact that you can’t just wall off
data, meaning the more data, the better for your business and the more places that data can get to,
the better. You've demonstrated that that’s also core to business innovation, such as growing
revenue in new ways, and being agile and adaptive to very competitive markets. That’s a very
interesting example.
Before we sign off, Chris, where do you go next? How do you think your security steps so far
have enabled you to be more fleet, more agile, and perhaps find other business benefits?
Gullett: There is no substitute for delivering innovative solutions to problems that are well-
known throughout the business, and helping that to build your credibility with the executives and
the board of directors. Certainly, the solution to our PCI-compliance issues, which did get a lot of
exposure to the company’s executives and the board, by being able to solve that quickly and
without an impact to the operations of the airline, that brought information security awareness to
a level that we had not previously enjoyed at the airline.
Although, if you talk to our executives and our board, they're going to tell you information
security is very important, and I believe they believe that. The fact that you can demonstrate that
you can deliver solutions that don't break the bank and do what they say they do, means a lot.
Going back to that three-legged stool, technology and the HPE Security products that we
implemented for PCI are just one part. For example, if the folks aren't handling the credit cards
properly or if they're not adequately protecting the data that they have on their mobile devices
out in the field, our risk is just as great as a credit-card data breach would have been before we
had implemented the tokenization. These are all things we kind of worry about.
Learn More About Safeguarding
Data Throughout Its Lifecycle
Read the full Report
Gardner:. I'm afraid we'll have to leave it there. We've been discussing how airline Allegiant Air
solved their PCI problem and got a whole lot better security and business culture as well. And we
have seen how security technology can lead to a better posture maturity and then ultimately to
cultural transformation and many added business benefits.
So join me in thanking our guest, Chris Gullett, Director of Information Assurance at Allegiant
Air in Las Vegas. Thanks so much, Chris.
Page 9

10. Gullett: Thanks, Dana. I appreciate it, and enjoyed the time with you today.
Gardner: I would like to thank our audience as well for joining us for this Hewlett Packard
Enterprise Voice of the Customer security transformation discussion.
I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this
ongoing series of HPE-sponsored discussions. Thanks again for listening, and do come back next
time.
Listen to the podcast. Find it on iTunes. Get the mobile app. Sponsor: Hewlett
Packard Enterprise.
Transcript of a sponsored discussion on how security technology can lead to a better posture
maturity and then ultimately to cultural transformation and many added business benefits.
Copyright Interarbor Solutions, LLC, 2005-2016. All rights reserved.
You may also be interested in:
• Big data enables top user experiences and extreme personalization for Intuit TurboTax
• Feedback loops: The confluence of DevOps and big data
• Spirent leverages big data to keep user experience quality a winning factor for telcos
• Powerful reporting from YP's data warehouse helps SMBs deliver the best ad campaigns
• IoT brings on development demands that DevOps manages best, say experts
• Big data generates new insights into what’s happening in the world's tropical ecosystems
• DevOps and security, a match made in heaven
• How Sprint employs orchestration and automation to bring IT into DevOps readiness
• How fast analytics changes the game and expands the market for big data value
• How HTC centralizes storage management to gain visibility and IT disaster avoidance
• Big data, risk, and predictive analysis drive use of cloud-based ITSM, says panel
• Rolta AdvizeX experts on hastening big data analytics in healthcare and retail
• The future of business intelligence as a service with GoodData and HP Vertica
• Enterprises opting for converged infrastructure as stepping stone to hybrid cloud
Page 10