Click for next page ( 3

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement

Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 2
The time investment made by airports that have either started or are already engaged in their PCI com- pliance program appears to be widely varied due to the complexities just described. In any of the cases, the in- vestment is considerable and should not be estimated in weeks, but rather in months to years depending on the tasks that are required for completion. Airports may consider starting with the self-assessment ques- tionnaire (SAQ), available through the PCI-Council or through the various QSA consulting firms. PURPOSE Figure 1 PCI standards relationships. The Transportation Research Board commis- sioned this quick response project because of the Third-party software potentially used for de- need to provide background information on the data livering and receiving airline information, protection requirements for the PCI DSS and its managing airport resources, and supplying applicability to the airport environment. As such, passenger-facing information; this document presents the PCI DSS and the impacts Third-party service providers used for con- that an airport needs to consider when reviewing their ducting airport processes and/or supplying credit data retention policies and systems that process resources; and credit card payment transactions. Business processes for regular accounting func- Airports today are assuming more responsibility tions (receivables, payables, etc.). and direct ownership of information systems that These factors present an airport with a myriad accept credit card payments. These payments in- of possible conditions for which it may or may not clude parking revenue, concession sales, and other need to consider PCI DSS compliance as a necessity. services. Airports are being classified by the PCI as Additionally, with potential variations in the inter- merchants and service providers, depending on the pretation of compliance validation requirements, level and types of transactions they are supporting. airport management faces a "where do I start?" and Because of these classifications, the airport operators "where am I going?" situation. are required to undergo PCI DSS audits to ensure The research conducted for this project found that they have the proper protections and systems in that card brands consider PCI DSS requirements as place to protect cardholder data. applicable to all businesses or organizations that A guide is needed by airports to help them under- conduct business using payment cards or cardholder stand the data and network protection responsibilities data in their process(es). There is not a specific airport- they must assume when accepting card transactions. centric compliance perspective in the PCI; however, The objective of this report is to present an analysis qualified security assessors (QSAs) or PCI consul- of the PCI DSS, to give an overview of the systems tants and auditors would be able to apply PCI DSS that may be affected, and to present areas for further requirements to airport-specific conditions. research and study. The result is an introductory guide Airports do not present a "one size fits all" oppor- for airports as to their responsibilities associated with tunity when it comes to PCI DSS compliance. The the commercial PCI DSS. various airport sizes and configurations, number of tenants, contractual arrangements, government or- PAYMENT CARD INDUSTRY ganization and authority set up, transaction volumes, DATA SECURITY STANDARD network segmentation, and classification (merchant, service provider, or both), generate a complex set of Basics of the PCI DSS scenarios, each one needing a unique PCI program PCI Security Standards Council that will meet the compliance objectives. An airport may be a merchant, accepting credit card transac- The PCI DSS is a set of standards, developed by tions and/or be a service provider, providing net- the PCI-Council, for the purpose of ensuring pay- work services to its business tenants and air carriers. ment card data/information security. 2

OCR for page 2
Network Network Network Merchant Cardholder Service Acquirer Provider Figure 2 PCI process entities. The PCI-Council is an organization founded by Consumer Payment Card (brand or system)-- the major payment card brands--Visa Inc., Master- financial institution that issues payment cards Card Worldwide, American Express, Discover and/or signs merchants to accept payment Financial Services, and JCB International*--in cards (Visa, MasterCard, AMEX, Discover, collaboration, to provide direction, guidance, and and JCB); and standards to protect cardholder data information that Payment Network--network accessed through is subjected to the various methods and mechanisms a service provider that acts as the authorized of transaction processes. While the PCI-Council is communication vehicle for transmitting the responsible for all aspects of PCI standards, it does payment card transaction and for handling receive input from an advisory board made up of par- the transfer of payment transactions between ticipating organizations engaged in various aspects parties. of the PCI. The PCI-Council has also implemented These relationships, and the basic places in the certification programs for QSAs and Approved Scan- payment process in which they apply, are shown ning Vendors (ASVs), creating a mechanism to pro- in Figure 2. duce qualified resources to help businesses assess There are two main phases for processing a pay- and meet PCI compliance standards. ment card transaction, as shown in Figure 3. Autho- rization (Phase I) is the transaction, or request, that is Basic PCI Process initiated electronically when an approval or rejec- The flow of a payment card transaction engages tion decision is made by the appropriate authorization multiple entities and, therefore, the data/information issuer. Upon approval, Phase II, clearing and settle- included in a transaction is also transmitted through ment, is initiated when accounts are debited/credited several points of control. The components and/or according to the transaction amount (2). entities involved include the following: PCI Environment Cardholder--authorized payment card user; Issuer--financial institution that issues pay- There are three sets of standards covering the dif- ment cards and maintains a contract with card- ferent aspects of the PCI transaction environment: holders for repayment; 1. Businesses that use payment cards as a means Merchant--authorized acceptor of payment of payment for services or products, cards for the payment of goods and/or services; 2. Card device manufactures, and Acquirer--financial institution or merchant 3. Payment card application development. bank that contracts with the merchant for pay- ment card acceptance and enables payment Airport businesses would fall into the first cate- card payments from customers; gory of standards, the DSS that has been established as a common set of requirements to protect cardholder * The Transportation Research Board, the National Research data when transactions involve technological means Council, and the Federal Aviation Administration (sponsor to complete the process described above. At any point of the Airport Cooperative Research Program) do not endorse in business operations in which cardholder data is products or manufacturers. Trade or manufacturers names ap- stored (either electronically or in a hardcopy format) pear herein solely because they are considered essential to the and is used in a payment process (electronic trans- clarity and completeness of the project reporting. mission of the data), the business is required to abide 3

OCR for page 2
Phase I - Authorization Cardholder Merchant Acquirer Payment NW Presents card Inputs $ amount Transmits to Routes to for payment & transmits Payment Network Cardholder Issuer Issuer Payment NW Acquirer Merchant Decision request Routes decision to Forwards Receives Acquirer response response Merchant No Merchant Payment Notifies approved? Cardholder Yes Phase II - Clearing & Settlement Merchant Acquirer Payment NW Issuer Cardholder Transaction Credits Merchant Pays Acquirer, Posts transaction Pays Issuer receipt sent account debits Issuer to Cardholder Figure 3 Payment card transaction process flow. by the PCI DSS. An airport may operate as multiple from which data could be intercepted intentionally or roles within the PCI environment. They may act as unintentionally. Either way, data security is expected a merchant by accepting payment cards to receive and required through the requirements set forth by payment and/or as a service provider when their net- the DSS. work or applications are utilized for the purpose of Vulnerable points of an airport business would storing, processing, or transmitting cardholder data, include: while not being the receiver of payment for goods or Self-service kiosks where a payment card is services. According to the PCI Compliance Guide, used to identify the cardholder and/or to process for the purpose of the PCI DSS, a merchant is defined a payment; as any entity that accepts payment cards bearing the Other payment stations where payment card logos of any of the five members of the PCI-Council data is collected; as payment for goods and/or services (3). And a ser- PIN entry devices; vice provider is any company that stores, processes, Networks and network connection points; or transmits cardholder data on behalf of another Wi-Fi access points; entity (4). Airport application systems, including: Databases storing cardholder data and re- PCI DSS Risks dundant systems for business continuity; The process of a merchant or service provider Application processing and interfaces be- receiving cardholder data and then using it for pro- tween systems; and cessing or transmitting from a local network to a gate- Access, security, authorization, and admin- way or external network has the potential for a data istration of systems connected to cardholder security breach or an exposing of vulnerable points data; 4

OCR for page 2
System reporting, exposure of cardholder data individuality between the card brands that causes the visibility on reports; and most confusion when attempting to understand the Cardholder data handwritten or printed and PCI DSS. stored in a non-electronic repository. The card brands themselves enforce compliance through a set of compliance validation requirements While there are many more areas of vulnerabil- that are defined for each level established by the card ity or exposure, the PCI DSS provides a method to brands. Each level will have a series of tests, audits, ensure that the technology incorporated by the airport and assessments that must be validated by the defined has been investigated, compared, and remediated if qualified resources required by the card brands. In necessary to meet the requirements of the standard and addition to the validation requirements, the card that a process is in place to maintain the standard brands set, or will set, deadlines for meeting the val- and to manage the introduction of changes in systems idation requirements. These deadlines may be applied and technology. to the compliance requirements in general or possibly The impact of a cardholder data breach goes far to an individual validation requirement. beyond any fines or penalties that may be incurred. The immediate impact of correcting the situation would involve costs for fixing, testing, and imple- Airport Functions Affected by the PCI DSS menting as well as a possible shutdown of functional- What does this mean for the various managers in ity during the remediation process. Additionally, there the airport business operation? While there is defi- is the cost to identify, notify, and provide recom- nitely a technology-centric perspective to PCI DSS mended actions for affected customers/cardholders compliance, the responsibilities and potential impact to take. The potential costs for legal fees would exist may be felt in many functional areas. Each of the should individual or class-action lawsuits be initiated. management roles listed below may be conducted in And the loss of confidence of customers or of em- various ways depending on the airport size and orga- ployees could generate impacts that are not easily nization structure, including as outsourced functions. measured in dollars. There have been numerous ex- It will be up to each airport to determine the actual amples of these types of breaches in the recent past impact to their respective areas of responsibility. that demonstrate the cost and impact of a cardholder data breach. Airport Executives PCI DSS Compliance In the research conducted with airports, there seems to be no lack of understanding by airport ex- PCI DSS compliance is expected of all organi- ecutives as to the potential risks of non-compliance zations utilizing cardholder data. The PCI DSS com- and the urgency to address those risks. However, prises 12 basic requirements within six categories of the investment in time and money required to achieve objectives that must be met. An organization using compliance is a concern. This is especially the case a payment card of any of the card brands to conduct where auditors vary in the interpretation of the require- business operations must provide evidence, through ments and may make compliance and validation a the validation requirements, that PCI DSS compliance higher contributor to both cost and time. has been met. The validation requirements are based Airport executives must consider not only the on varying situations. The card brand, the operation of impact of non-compliance and the associated risks, the organization (merchant or service provider), and but also that an ongoing program requires contin- the volume of transactions or other conditions make ued support and communication of the importance up the factors involved in determining the level of the to all levels of staff and airport employees on a fre- organization or business. The levels and correspond- quent basis. A change in culture in any business is ing compliance assessments or validation methods difficult and this is no different for an airport. The will be discussed in more detail later in this document. assignment of airport executives for compliance The PCI DSS requirements are expected to be met responsibilities ensures that a focal point with full as a standard throughout the industry although each authority is communicated throughout the organi- card brand defines its own business-level definitions zation. Regular executive staff meetings should in- along with its own validation requirements. It is this clude an agenda item on compliance progress and 5

OCR for page 2
ongoing compliance reports. Visibility of updated during the audit preparation time and should provide compliance metrics (exposures, breaches, recover- progress reports during the actual audit time period. ies, etc.) ensures an ongoing focus on data security and on the needed awareness of its importance to the Aviation Administration airport staff. The aviation administration will be responsible for Technology Division assessing current processes (system and/or manual) engaging cardholder data, in both electronic and hard- As previously stated, PCI DSS compliance has copy formats. The aviation administration will need a focus on technology. The technology division to conduct an asset inventory of file cabinets, desks, will be heavily involved in the program from de- secured rooms, and access authorization processes for velopment through implementation and continued any non-electronic security of cardholder information. oversight. The information needed to prepare for This may require process review of room/file cabinet the PCI DSS will be based in the technology divi- key distribution, key cards for room access, and re- sion. It is here that the initial assessment will be turns due to employee termination. formulated and the data collected on existing data- The aviation administration will need to work bases, applications, networks, transaction volumes, closely with the technology division to modify and transaction data, encryption technology, gateways, implement process changes or new process introduc- and so on. tions in order to achieve compliance acceptance. The technology division will have primary input into technical challenges that will need to be over- come and into the cost in resources and infrastruc- Fiscal Division ture that may be required to achieve compliance. The The fiscal division is also a key stakeholder in PCI roadmap or program plan will be constructed by the DSS compliance. Financial processes require strict technology division to provide a strategy for prior- adherence to secure processes for which cardholder itization of tasks, resource consumption, cost esti- data is in use. The fiscal division will also work mates, schedules and phases, and the methods for closely with the information technology (IT) man- moving from the existing environment to a compli- ager dealing with such financial processes both in ant environment. assessing current practices and required changes. The technology division will also be required Point of sale (POS) processes will definitely be sus- to develop the approach for the actual audit and val- ceptible to vulnerabilities, and a thorough understand- idation sessions. They will need to investigate any ing of how data is used, processed, and transmitted airport operator perspectives on finding the appro- will be required. priate QSA vendor or ASV depending on the level Internal financial processes such as reconcili- and requirement validation necessary. The tech- ation, irregular conditions, scheduling and timing, nology division will ensure that audit planning and data security methods (lock box, third-party service, preparation is complete and ready to engage. Key etc.) will need to be addressed as a part of a PCI DSS points of preparation include: program. Readiness of documents; Required samplings and test preparation; Business and Properties Division Test resources; The business and properties division will bene- Staff assigned, aware, and prepared for work- fit from engagement with the airport PCI DSS com- ing with auditors; pliance program by recognizing contractual details Introductory session with auditors including that should be included in renting or leasing airport contact information; and space to ensure that tenants and the airport have a Documents organized and appropriate autho- thorough understanding of the security permissions rization established for auditor access. and requirements. The data collected and used in The technology division should be in constant this functional area would need to be investigated to communication with the PCI DSS compliance offi- ascertain if there are any cardholder data touch-points cer assigned by the airport executive management or vulnerabilities that need to be addressed. 6