Click for next page ( 15

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement

Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 14
Noncompliance Penalties wall configured to protect the data. The first question to answer is whether or not a firewall is in place on Fines may be imposed by the card brands when the VPN? If "yes," then is it configured in such a way merchants or service providers do not meet the val- that only authorized access to the data server and idation requirements by a stated deadline. Addition- database can be achieved? If the answer to either of ally, should cardholder data, owned within the airport these questions is "no," then an action item can be business, be compromised, significant fines can be established to implement the needed firewall. This imposed by the card brands. process would be repeated for each asset within the PCI DSS environment owned by the airport. PCI AUDITS Once the deficiencies have been identified, reme- diation efforts can begin by prioritizing the tasks nec- Audit Preparation essary to make the "no" answers "yes" answers along Understanding Current Conditions with planned dates for completion. The PCI-Council provides a thorough checklist of items by requirement PCI DSS compliance is an intended way of to help with detail considerations of a current envi- doing business and not simply a one-time or an- ronment assessment (14). nual event. The practices and requirements de- scribed in the previous section are items that may PCI Audit Approach require new or improved operational processes and controls. A program would involve an ongo- Using a PCI QAS for preliminary discussion on ing process for monitoring, change control, main- the airport's specific PCI DSS program strategy or tenance, and administration. approach is a good practice not only in preparing for An initial investigation as to where an airport an audit, but also for ensuring that a sound program stands in relation to classification (merchant, service is being developed for the long term. There are sev- provider, or both) is a required first step needed in eral PCI consulting firms promoting PCI compliance order to assess the requirements that would apply. "readiness assessments" or "roadmaps" that can be Additionally, an inventory assessment of assets fo- used as an approach for dealing with the complexities cused on the areas that apply to PCI Data Security of PCI DSS. The breadth of the program can include provides a foundation for investigation of security the beginning of assessing current conditions to reme- measures that may or may not be in place. The key diation all the way through to audit and reporting. for determining what should be included in the asset inventory is to identify the "touch-points" of card- Scheduled Audit Preparation holder data. Wherever cardholder data is stored, The business (merchant and/or service provider) received, sent, or processed is the foundation for should expect to invest time in preparation for a an inventory. scheduled audit. The various preparation tasks should In any of the previous situations, the database, include: application(s), server(s), network(s), and gateway(s), including any back-up or mirrored systems, would Documentation and Information--all infor- need inclusion in the inventory. Assets need to include mation that could be utilized in presenting the non-electronic locations as well. If there are file cabi- various PCI DSS compliance aspects of the nets with cardholder information, or desk drawers business should be collected and organized in that contain even handwritten cardholder information, a structure that will allow proper access and be these should be included in the asset inventory. readily available for an auditor or audit team. Having the asset inventory complete, a step-by- The information should be directly related to step application of the requirements to the assets will the intent to provide requirement compliance. deliver "yes/no" responses as to whether the require- Management and Staff--appropriate resources, ment is satisfied or not. including the manager and key staff members, For example, a virtual private network (VPN) is should be identified prior to the audit and then in place and includes connection to a server with a presented at audit initiation. This effort will database containing cardholder data. PCI DSS Re- allow both the audit team and the organization quirement 1 states that the network must have a fire- resources to use time efficiently. 14