Compliance

Security standards, regulatory compliance, and accessibility requirements.

Scope

Security Standards

  • PCI-DSS (Payment Card Industry)
  • SOC 2 (Service Organization Controls)
  • ISO 27001 (Information Security)

Regulatory Compliance

  • DOT (US Department of Transportation)
  • EU Passenger Rights (EU261)
  • Aviation security regulations

Accessibility

  • ADA (Americans with Disabilities Act)
  • WCAG 2.1 (Web Content Accessibility)
  • Section 508

Research Topics

  • PCI-DSS scope and requirements
  • SOC 2 Type II certification
  • DOT consumer protection rules
  • EU261 compensation rules
  • WCAG 2.1 AA requirements
  • Aviation security (TSA/ECAC)
  • Accessibility testing tools
  • Compliance automation

PCI-DSS Compliance

Scope Reduction Strategies

Full Scope:
└── Process, store, transmit card data

Reduced Scope (SAQ A):
├── Hosted payment pages (iframe)
├── Tokenization
├── No card data in airline systems
└── Redirect to payment provider

Remaining Scope:
├── Redirect page security
├── Token handling
└── Refund initiation

Requirements Summary

RequirementDescription
Build secure networkFirewalls, no defaults
Protect cardholder dataEncryption, masking
Vulnerability managementAV, patching
Access controlNeed-to-know, unique IDs
Monitor and testLogging, pen testing
Security policyDocumented policies

Compliance Path

LevelAnnual TransactionsAssessment
1>6MQSA on-site audit
21-6MSAQ + quarterly scan
320K-1MSAQ
4<20KSAQ

SOC 2 Compliance

Trust Services Criteria

CategoryFocus
SecurityProtection from unauthorized access
AvailabilitySystem uptime commitments
Processing IntegrityAccurate, complete processing
ConfidentialityData protection
PrivacyPII handling

Report Types

  • Type I: Controls at a point in time
  • Type II: Controls over a period (6-12 months)

Common Controls

Security:
├── Access control
├── Network security
├── Encryption
└── Logging/monitoring

Availability:
├── Disaster recovery
├── Capacity planning
├── Incident management
└── SLAs

Processing Integrity:
├── Input validation
├── Error handling
├── Transaction logging
└── Reconciliation

DOT Consumer Protection

Key Regulations

RuleRequirement
Full fare advertisingAll-in pricing
Baggage fee disclosureProminently displayed
Tarmac delay rules3-hour limit (domestic)
Denied boardingCompensation schedule
Refund rulesPrompt processing

Tarmac Delay Requirements

  • 3-hour limit (domestic), 4 hours (international)
  • Food, water, restrooms provided
  • Medical emergencies addressed
  • Option to deplane if safe

Denied Boarding Compensation

DelayCompensation
0-1 hourNone
1-2 hours200% fare (max $775)
2+ hours400% fare (max $1,550)

EU261 Compliance

Passenger Rights

SituationEntitlement
CancellationRefund or rerouting + compensation
Long delayCare + compensation (if >3h arrival delay)
Denied boardingRerouting + compensation
DowngradePartial refund (30-75%)

Compensation Amounts

DistanceAmount
<1,500kmEUR 250
1,500-3,500kmEUR 400
>3,500kmEUR 600

Exemptions

  • Extraordinary circumstances
  • Weather, ATC, security
  • Strikes (external)
  • Advance notice (>14 days)

Accessibility (WCAG 2.1)

Level AA Requirements

Perceivable:
├── Text alternatives for images
├── Captions for video
├── Sufficient color contrast (4.5:1)
└── Resize text to 200%

Operable:
├── Keyboard accessible
├── Skip navigation links
├── No time limits (or extendable)
└── Clear focus indicators

Understandable:
├── Clear language
├── Consistent navigation
├── Error identification
└── Labels for inputs

Robust:
├── Valid HTML
├── ARIA where needed
└── Compatible with assistive tech

Testing Approach

MethodTools/Approach
Automatedaxe-core, WAVE, Lighthouse
ManualKeyboard testing, screen reader
User testingUsers with disabilities

Priority Areas

  1. Booking flow (high traffic)
  2. Check-in process
  3. Flight status
  4. Manage booking
  5. Customer service

Aviation Security

TSA Requirements (US)

  • Secure Flight passenger data
  • Checked baggage screening
  • Employee background checks
  • Access control systems

ECAC Requirements (EU)

  • Passenger screening
  • Baggage reconciliation
  • Cargo security
  • Airport security programs

Compliance Management

Continuous Compliance

Policy
  ↓
Controls
  ↓
Monitoring
  ↓
Evidence Collection
  ↓
Audit Readiness
  ↓
Remediation
  ↓
(repeat)

Tools

FunctionOptions
GRC PlatformServiceNow, OneTrust
Policy ManagementDocument control
Evidence CollectionAutomated collection
Audit ManagementTracking, scheduling