Securing business data

Virgin Atlantic Airways - PCI DSS & Penetration Testing

Case Study: virgin_atlantic_555px3
Virgin Atlantic Airways 

As part of their PCI programme Virgin needed to rebuild a number of key business systems and applications. The security and compliance requirements for these application were paramount as they handled credit card data. CNS were able to help VAA though-out the Secure Software Development Life Cycle in order to ensure the applications were built securely.


The Client

Virgin Atlantic is the UK’s 7th largest airline in terms of passenger volume. In 2013 it carried over 5.4 million passengers.

"The CNS guys are good and I genuinely like them. They have been enthusiastic and patient throughout the process and provided us with information we needed at the right time. We are now confident that final deployment of our applications will be secure and PCI Compliant. ". 
PCI Programme Manager, Virgin Atlantic Airways Ltd.


The Challenge

Virgin Atlantic needed to refresh some major internal applications and ensure that they were secure for the purposes of PCI DSS accreditation, fit for purpose and for their high profile. The building of these types of system are a massive challenge and ensuring that security considerations are taken into account without inject delay into the delivery of the project can be very difficult especially as the new applications are interacting with established central systems and multiple 3rd parties.


The Solution

CNS were engaged to provide Advisory services regarding the security of new applications and systems. The CNS Test team were able to engage early on the project  and began by reviewing the architectural and design plans for the systems and giving recommendation for their deployment. This was followed by a code review of the primary application and a review of 3rd party connectivity. A number of security issues were highlighted in this process which allowed VAA and their developers to address these issues well in advance of the application release and prior to penetration testing. This process also afforded the VAA operations team to review the coding practises for future deployments. Over the 2 year development life cycle of the application engaged at regular periods to review release plans and test additional and revised functions. The primary application was then penetration testing prior to being deployed into a 3rd party data center environment.


Services Used:

  • SecureSDLC
  • Infrastructure Testing (internal & 3rd Party)
  • Code Review
  • Architecture and Build Review
  • External Penetration Testing
  • Vulnerability Assessment
  • 3rd Party Audit and Risk Assessment

The Result

The security posture of the Virgin Atlantic Airways booking and payment systems is in a mature state. Security has been embedded as part of the SDLC process. 

Get in touch

Talk to our experts today
call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere