Click for next page ( 16


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 15
PCI DSS Qualified Roles certified resources as part of their financial or tech- nology teams. Depending on the PCI DSS compliance valida- The certified PCI security manager (CPISM) iden- tion requirement, there are several authoritative or tifies individuals who have gained expertise and have qualified roles that may be required to participate in passed required tests in the areas of PCI structure, an audit to achieve the validation. card structure and data, transaction processing, fraud statistics and trends, merchant risk analysis, laws Qualified Security Assessors and regulations, security programs, and third-party The PCI-Council qualifies companies as QSAs. relationships (16). Employees of QSA organizations have been certified The certified PCI security Auditor (CPISA) iden- by the PCI-Council to validate a business's compli- tifies individuals who have gained expertise and have ance with and adherence to PCI DSS requirements. passed required tests in the areas of information tech- A QSA will work with an entity through audits and nology and networking, information security con- tests to identify missed requirements and to ensure that cepts, and auditing (16). remediation achieves the desired compliance results. The PCI-Council has qualified more than 100 compa- AIRPORT PCI nies and has certified more than 1,500 assessors (15). QSAs are generally required for validation pur- Understanding the PCI DSS and the requirements poses for merchants and/or service providers that are for compliance can create confusion in even the sim- at the Level 1 category, and this is consistent across plest of business operations, but airport operations all card brands. can have several other variables that increase the complexity and add to the ambiguity. Between the Approved Scanning Vendors network, databases and servers, applications, and the touch-points of cardholder data, the airport must ASVs are organizations capable of performing understand who owns which piece of the PCI DSS re- vulnerability scans of a merchant's and/or service sponsibilities and set an approach or strategy not only provider's Internet-facing system networks. More to achieve compliance, but also to structure a pro- than 130 ASVs have been approved by the PCI- gram to ensure continued compliance. Council (15). This section examines the airport business pro- ASVs are required within multiple Merchant and/ cesses that an airport must consider in developing or Service Provider levels for requirements validation. a PCI DSS strategy. By taking a first step to under- standing where the cardholder data "touch-points" Self-Assessment Questionnaire exist, an airport can begin to organize the boundaries The SAQ serves merchants and service providers of their PCI DSS responsibilities. in multiple ways. One way is that it can be used to conduct a self-evaluation on an entity to assess where Passenger-Initiated Processes the organization is in regard to PCI DSS compliance requirements and to provide visibility as to where Booking/Reservations deficiencies may exist. The other service of the SAQ A passenger today is capable of initiating reser- is for requirements validation mostly in the lower- vations at off-airport venues where payment card transaction volume merchant and/or service provider data does not travel across any portion of the airport levels. infrastructure and is not stored on airport systems and, therefore, would not be a PCI DSS responsi- Industry Certifications bility of the airport. However, some on-site ticket- The Society of Payment Security Professionals ing operations are conducted at the airport that, on (SPSP) has developed two certification programs the basis of the PCI DSS compliance requirements, for the PCI. Individuals attaining certification are would be an airport's responsibility. While ticketing not included as qualified for PCI DSS compliance functions may be handled at an airline-operated sta- validation; however, they do provide businesses with tion on the airline-owned systems, investigation is another resource with high-level understanding of required to determine if payment card data used at PCI knowledge. Some businesses include industry- the station is transmitted to the airline connection 15

OCR for page 15
using any portion of the airport's network. If such is In addition to data transmission across the net- the case, the airport would need to identify that sit- work, the use of payment card data for any pro- uation as a touch-point and would need to apply PCI cessing within airport operations creates the need DSS security measures accordingly. to address data security compliance. If the data is Since many booking and reservation processes stored, even temporarily, in a database or if further can be accomplished using the Internet, an airport processing is conducted on the data either prior to that provides Wi-Fi access to passengers, either as transmission or upon a receiving transmission, then a free or paid service, would be required to address a database touch-point can be acknowledged and the wireless network access points as a touch-point for PCI DSS compliance requirements relating to secure inclusion in a PCI DSS program. However, in air- systems, applications, and data access would need to ports where Internet access is not provided, this sit- be assessed. uation would not be applicable. Airlines engaged in business with the airport do not have an opportunity to choose a service provider Check-in for connectivity within the airline systems and are Passenger check-in may include multiple oppor- therefore in a "captive" environment. They must gain tunities for using cardholder data. Passenger iden- connectivity through an airport network and possibly tification using cardholder data may be initiated through airport systems in which common use sys- with the use of a payment card. Additionally, actual tems are employed. Airports must be in PCI DSS payment transactions may be used for baggage fees compliance and the proper level of due diligence em- (e.g., checked-bag, excess bags, and excess weight ployed to ensure the integrity of the airline customers' charges), flight upgrades for the passengers, seat cardholder data and the tenant airline's public reputa- charges, plus any other options presented to the pas- tion as well. Part of the due diligence of an airline is senger for purchase. to find secure providers. However, in a captive envi- These functions may be conducted on passenger- ronment, this is not always possible and could impact facing airline-proprietary equipment or through com- the airlines' ability for PCI certification. mon use self-service (CUSS) kiosks, as shown in Figure 6. Whether the check-in process is conducted On-Airport Dwell Time Services in the airline-proprietary or common use scenario, Depending on an airport's size and business model the passenger could be using a payment card to ini- for tenants (non-passenger processing functions), tiate the check-in procedure. Based on the network there could be a vast array of POS functions being configuration of the airport, if the cardholder data is conducted through multiple businesses, both retail transmitted across any portion of the airport-owned and service, in leased or rented spaces on the airport network, then a cardholder data touch-point should property. At every POS opportunity, if the business be identified. merchant accepts payment cards for purchases, the cardholder data needs to be protected to meet DSS compliance. Where cardholder data is transmitted across any portion of an airport-owned network, that network and active infrastructure devices are required to meet the PCI DSS requirements. The key again is the card- holder data. In POS situations, the POS terminal may be in assessment scope depending on the ownership of the terminal (supplied by the airport, tenant con- tracts their own, etc.). The network used by the ten- ant to transmit the transaction is in the scope of the airport assessment if it is owned by the airport. Airports that collect POS data from tenants for use in the airport business operation (tenant charges based on sales volume, percentage of sales paybacks, etc.) may also need to assess the data storage and pro- Figure 6 Passenger check-in at a CUSS kiosk. cesses in light of PCI DSS compliance. Any data 16

OCR for page 15
collection that contains cardholder data extracted from the POS transactions would be required to undergo PCI DSS compliance requirements. In some instances, there could be hardcopy reports that are generated and shared between tenant and airport containing card- holder data, thereby generating the need for PCI DSS requirements relating to data protection. In some airports, the airport and/or airline may charge for access to lounges, clubs, VIP membership services, and so on. The considerations described for airport tenants would be required to undergo the same scrutiny to uncover cardholder data touch-points that would need to be addressed as a part of the PCI DSS assessment. A Wi-Fi service provided by airports to its pas- sengers in either a fee-paid or free scenario is becom- Figure 7 Tenants rely on airport compliance with PCI ing more and more popular. Considering the fee-paid DSS requirements. situation, the fee itself may be secured through a pay- ment card transaction via the Internet. If the card- holder data is captured by an airport system, stored, becomes the key to identifying another touch-point or used for processing, then there is the obvious re- within the airport business operation that is expected quirement to secure the data in regard to the DSS. The to comply with PCI DSS requirements (Figure 7). wireless access points, whether used through a pay for Transactions that could be included, depending service or free service, will need to be investigated on the airport business system model, are as follows: and assessed according to PCI compliance. Lease payments, Rental payments, Arrival Utility payments, Potentially, parking revenue control systems are a Service provider payments, and key element of an airport's revenue stream. In many Penalties and fees. cases, the collection of parking fees is conducted with Some airports store the cardholder data in an elec- the capability of using payment cards to reconcile tronic format, such as in a spreadsheet or as hardcopy, the fee amount. Very similar to the other scenarios such as notes in the tenants' files. It may seem logical described, the set up of the network, the use of the to store this data for later use, such as with T-hangar cardholder data, and the processing methods em- rentals, lease payments, and others, but this storage is ployed for the payment transaction create an impact on prohibited by PCI DSS. the PCI DSS requirements the airport must address. Airport Operations Business Processes Tenant-Based Business Processes Normal airport business requires payables that In the course of standard business that takes place could also be susceptible to the PCI DSS should between on-site tenants and the airport, there are mul- payment cards be utilized to initiate the payment tiple transactions that may occur between the two. transaction. Payments made using direct bank access The method used for paying the appropriate fees to (non-card brand debit cards, paper checks, etc.) would the airport are varied as well and may be unique based not be a PCI DSS issue from the airport perspective on the contractual arrangements. because there is no touch-point of payment card data The system used by the airport to conduct receiv- being transmitted or processed. ables may permit the use of payment cards and may Stored payment card data in the payables system or may not utilize cardholder data (business or per- would need to comply with PCI DSS requirements. sonal) in conjunction with the payment transaction. Again there are many portions of the requirements The capture of the cardholder data, stored, processed, that would be dependent on the configuration of the or transmitted to handle the business transaction, network; access capabilities to the data; how the data 17

OCR for page 15
is processed and transmitted; and the security of the current or planned PCI DSS compliance program network, servers, and databases. included: A key starting point for discovery of PCI DSS Common use systems, compliance is not unlike the other areas previously Parking revenue control systems, discussed. Where is payment card data stored and Commercial vehicle management, what are the touch-points of the data? The airport Network, should be able to assess what databases store pay- POS applications, and ment card data, what systems use that database, what Any system involving payment card data. servers house the database, what networks are used for data transmission, and so on. Each airport must consider its business systems as unique and should investigate applications or systems in which payment card data is stored, processed, or Concerns transmitted, and include them in the program scope. From an airport's perspective, PCI DSS compli- PLATFORM ance raises many questions and concerns, but clari- The platform used by the airport is not necessar- fication is not always readily available. Airports that ily a stand-alone component in the PCI DSS scope, have had some experience with PCI DSS programs, however, it potentially can have an impact on sys- whether just starting or in progress, have discovered tems or networks with certain restrictions or func- that even interpretation by the QSAs is subject to tionality that a system must abide by in order to meet variations, and the validation requirements or reme- compliance requirements. A platform includes the diation requirements could be more or less stringent operating system, computer architecture, and pro- depending on the QSAs' interpretations. What fol- gramming languages that are used for an application lows are some discussion points on these areas. to run on. Remediation of non-compliance situations will require an updating of the system, hardware, and Scope of PCI DSS Compliance network as a part of the solution. SYSTEMS NETWORK The airport IT organization is heavily relied upon Network configuration and segregation will be for a PCI DSS compliance program. One airport critical in determining required data security protec- interviewed during the research emphasized that tion. The suggestion of one airport interviewee was to the inclusion of IT is instrumental for achieving protect the data moving outward. Applying firewalls successful results. Even though the airport director's can be costly, but the security of the data during trans- sponsorship and enforcement is recommended, the mission will be extremely crucial for ensuring that the IT organization will be expected to address not only data remains protected during its time on the airport current assessment data, but will probably also be network. required to accomplish the remediation efforts. Purchased software may be considered "PCI CORE ROOM ready" and should therefore meet the PCI DSS for A core network room or server room where sys- payment application software. However, the instal- tems that hold cardholder data or where network lation and configuration of the software and/or the administration/management is conducted and where cardholder data is transmitted, requires not only secu- platform on which the system is implemented could rity of the systems and network access, but also secu- create an "out of compliance" situation. rity of physical access to the room itself. A physically PCI DSS security requirements should be exam- secure location would include, minimally, the ability ined to ensure that compliance is met for any in-house to monitor access and the ability to log the in and out developed software in production for any payment activity of the room in addition to any actual network applications within the airport. There is a PA DSS server access activity. established by the PCI-Council for developers of pay- ment application systems, however, as long as the Resources in-house developed software has not been sold to a third party, the PA DSS does not apply. Attention to a PCI DSS compliance program Airports responding to the research team inter- can require extensive resources from the point of views reported that the scope of systems in their self-assessment through remediation, qualified as- 18

OCR for page 15
sessment, and then ongoing maintenance and admin- less network in place will not have to meet the same istration. Optionally, airports must determine, on the requirement. It is not the size of the airport, but the basis of their current resource allocations, whether operation of the airport that is the determining factor. they contract resources for each of the phases. Smaller airports may find the resource require- Time Investment and Plan of Action ments to engage in the PCI DSS daunting and will The time required to act on PCI DSS compliance need to consider outsourcing a majority of the tasks, is relative to the complexity of the program that needs which could increase the cost of the program from the to be implemented. According to the airports inter- beginning. Even with this initial obstacle overcome, viewed for this research, the time span ranged any- the need to have the resources required to comply with where from 8 months to 5 years. Multiple airports ongoing management and administration of the pro- responded that their time investment is estimated gram may require outsourced arrangements as well. based on a target date in the future, out 1 to 2 years. As An airport respondent stated that there was a need to with many projects that extend over multiple years, have one resource responsible for network security, unforeseen circumstances could create an impact on however, the organization did not have a separation the schedule. of duties to comply with that demand. Potentially, re- An airport can begin with an understanding of organization may be required. However, this could the tasks that should be considered when developing lead to the need for additional resources, which may a time line for their PCI DSS program. These tasks conflict with budgets and staff size. can include: Requirements ASSESSMENT OF CURRENT ENVIRONMENT--an as- sessment of the current airport environment sets the The 12 requirements established for PCI DSS groundwork for determining what needs to be done. compliance apply to all businesses, organizations, The assessment can include: or service providers for which payment card data is stored, processed, and transmitted. Airports ques- Inventory of Documentation Available--what tion if there are any of the 12 requirements that do not and how current is available documentation apply to airports or that do not apply on the basis of relating to network diagrams, office space dia- the size of the airport. grams, system and software inventory, data- The perspective of the card brand industry is that base inventory (cardholder data), servers and the 12 requirements are the 12 requirements and they server content. apply throughout, regardless of the business type or PCI DSS Scope--using the inventories, the situation. The size of the airport is not a a variable in cardholder data touch-points can be identified determining the compliance expectations. The deter- for decision on what is to be included in the PCI mining factors are: DSS compliance program. Identify Security Components--identify what Does the airport operate as a merchant, service security systems are in place for the network, provider, or both? database, or system access, as well as physical At what level within the merchant and/or ser- security conditions (room security). vice provider criteria does the airport operate? (This is based basically on the volume of trans- ACTION PLAN FOR CURRENT ENVIRONMENT--on actions processed annually.) the basis of what is uncovered in the assessment phase, a plan of action will need to be developed. Once the above questions are answered, the vali- The plan of action will take into consideration pri- dation requirements, again, defined and enforced by orities, resource requirements, other projects, and the card brand, will then be known so that the airport the cost considerations. One airport reported that can begin to develop the plan for meeting compliance. they used the SAQ to determine the tasks to plan for. Each requirement should then be investigated as At this point, an airport would have the option to en- it applies to the airport and the determination made as gage QSAs or consultants to analyze the current en- to what validation requirements will need to be met in vironment and to determine next steps, priorities, order to meet compliance. As an example, a large air- and time considerations. port providing wireless access to its passengers will be required to demonstrate security at the wireless ac- REMEDIATION TASKS--the time investment here cess points, whereas a small airport that has no wire- could be extensive depending on the pre- and post- 19

OCR for page 15
audit remediation tasks that have been identified. In tentially, if documentation exists, the relativity some cases, airports have included the remediation to the actual current environment may require tasks as part of existing or planned projects such as minor or significant updates. Either of these network upgrades or installations. System modifi- conditions will consume existing resources or cations or replacements are projects in and of require additional resources to accomplish. themselves due to the rigor surrounding requirements Resource costs--internal resource costs are gathering, design or procurement decisions, training, sometimes "not counted" since the airport pays and implementation. its employees regardless of the task assignment. However, the cost of internal resource should AUDIT--the audit time investment will be depen- be counted because these resources may no dent on the level criteria of the airport. Preparation for longer be available for other tasks required in the audit, contracting the auditor(s), scheduling the the operation. Additionally, resource consump- audit, and aligning resources for audit access and re- tion for training, both for trainers and trainees, search/test execution will all be included in the time can be extensive. estimate. The required annual or quarterly ongoing Asset inventory--resource consumption will tests should also be included in time budget planning. be required to identify the assets that are to be included in the scope of the PCI DSS program. Cost As mentioned before, in addition to the net- Similar to the time investment, the costs associ- work and network components, servers, soft- ated with a PCI DSS compliance program are varied ware, and passenger-facing hardware (CUSS as well. While the interviewed airports reported a kiosks) are some of the assets to include. Any fairly low cost component, most were considering backup environment of the systems should only the actual expense of hiring the qualified re- be included in the inventory as well. The asset sources to conduct the validation requirements. How- inventory should also include hardcopy data/ ever, in one case, an airport included the cost to reports that may contain cardholder data, which replace a parking revenue control system that was may be stored throughout the airport facility. required in order to become compliant. The need These are assets that would require security in to replace or vastly overhaul a system in order to addition to the electronic data. become compliant should be included in the cost con- Testing--the testing task is one that could siderations for the program. The program cost should include preliminary testing prior to the actual encompass not only the cost of compliance, but the testing required by audits. This testing could remediation cost as well. uncover remediation necessities that can be It should not be surprising that costs are relative addressed before scheduling audits. to the validation requirements that an airport may Assessments and Audits--the cost of con- be required to address. The merchant- or service tracting the appropriate qualified assessment provider-level will have an impact on the program companies or suppliers will be based on the cost due to the stringency of the validation require- validation requirements for the level of the ments and potentially due to the QSA interpretation airport. In some cases, businesses have hired of what the airport must do to achieve compliance. or invested in in-house resources to become Also, the costs of the program may be spread across certified in the PCI industry in order to enable years depending on the deadlines imposed for the re- some of the validations to be met with internal quirements. In some cases, an extreme, up-front out- resources. Additionally, costs should be cap- lay of cost may be required due to an impending tured for in-house resources that are devoted deadline, when in other cases, the cost may be able in part or full time to the test and validation pro- to be budgeted over multiple quarters or years if the cess as well as foro the time these resources luxury exists that the deadline is further in the future. devote to the PCI auditors. COST OF COMPLIANCE COST OF REMEDIATION Documented network diagrams and policies-- System modifications or replacements-- depending on what documentation an airport depending on the findings of the systems within currently has available, it may be a required to the scope of the PCI DSS, the need for major develop the documentation from scratch. Po- overhauls or potentially even replacement may 20