Click for next page ( 22

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement

Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 21
be required. One area that was brought up by PCI IN COMMON USE airports currently in PCI DSS programs was that of the parking revenue control system. Complex Environment These systems may have been in operation In airport environments, "common use" is a term for an extended time and potentially have been used for equipment that is used by multiple air car- in operation prior to many of the PCI DSS com- riers to conduct the business of processing passen- pliance requirements being formalized or to gers. This equipment could be agent-facing, known the deadlines imposed. The cost of building as common use terminal equipment (CUTE) and now requirements, procuring a new system, testing, common use passenger processing systems (CUPPS), and implementing are not to be underestimated. as well as passenger-facing, known as CUSS kiosks. If a system has been developed in-house and While the overall focus of the equipment is a bit is going to be modified, the security require- different from a technical perspective, the issues ments defined in the PCI DSS are in scope of with respect to PCI between the agent-facing and the program. passenger-facing common use entities are similar. Network security implementations or enhance- This document will highlight where differences in ments--the cost considerations for network the two types of processing occur. upgrades, firewall installation, encryption capa- All of the specifications, recommended practices, bilities, and segregation will include resources, and processes are created as industry standards and either in-house or contracted, in addition to are based on recommended practices that are pub- network management and administration soft- lished by IATA. The specifications generally describe ware. Additional hardware may also be re- the standards and interfaces that allow multiple air- quired to bring resolution for meeting failed line applications to operate on a single platform and a requirements. common set of hardware. The working groups, which Physical access to rooms, file cabinets, and desks--to achieve compliance, it may be nec- are responsible for the recommended practices, are essary to install locks or access systems to se- currently investigating the impacts of PCI and how cure cardholder data. Depending on the system these systems can comply with PCI. The credit card incorporated to meet compliance, the system industry, through this investigative activity, is becom- could include key lock hardware and key con- ing aware of the uniqueness of the airport/airline re- trol administration, a key card system with key lationship and of the relationship between multiple card readers and locks with system administra- merchants in a common use environment. tion for managing card distribution and security access maintenance. In some cases, depending Uniqueness to Air Transport Industry on what an airport currently utilizes, an exten- sion of an existing system may be required. Common use creates a nexus between the airport, Process and policy development--as modi- the airlines operating at that airport, and the vendors fications are made to systems, the processes who provide common use solutions for common use required to manage the security may need to be practices. While many other IT systems that the developed or modified as well. Process changes airport manages and operates are primarily airport may be required on the basis of new policies owned, or owned via contracts with vendors who sup- that need to be implemented. These tasks also ply the systems, common use adds the element of air- require resources, and the cost should be ap- lines operating on a common hardware platform. This plied to the remediation costs. common hardware platform allows multiple airlines Resource additions for ongoing policy, proce- to share IT equipment, but the IT equipment connects dures, and administration--to ensure contin- to the individual airline host systems through the use ued compliance, the remediation actions may of network technology. Common use from a PCI per- require either a reallocation of current resources spective allows airlines to share common card reading to take on the responsibilities of the new security equipment. This becomes the main challenge in the procedures or possibly the addition of resources common use airport when considering the PCI-DSS. to manage the tasks. These resources may be Each stakeholder in this relationship--airport, secured through third-party vendors or through airline, and vendor--has responsibility for PCI certi- new hires. fication of the common use system. Airlines, as the 21

OCR for page 21
merchants, are responsible for meeting merchant re- and support contracts for the system. The airlines quirements of PCI DSS. Airports, as service providers, are responsible for certifying their software on the are at the very least responsible for meeting the service selected platform for the airport. provider requirements of the PCI DSS. Vendors have Variations and complications can exist under a responsibility to provide PCI DSS ready equipment both of the above-described models. One such com- and services. With so many stakeholders, the path to plication occurs when the airport operator provides PCI certification is far from straightforward. the network services from the demarcation point on The credit card brands have consistently stated the airport to the end devices, thus acting as a trans- that the air transport industry is unique when it comes port service, or a service provider. This type of model to common use. In their experience, there has not been presents a unique challenge to the airlines when they another example in which multiple merchants share are pursuing their PCI compliance, because if the the same credit card processing equipment. Because airport is not able to obtain PCI certification, the air- of this cross-utilization of card processing equipment, line does not have the opportunity to find another it is difficult to obtain PCI certification. Add to that network provider. the fact that passenger-facing self-service kiosks now Another complication is the governance, owner- use credit cards for payment transactions, as well as ship, or management of the airport itself. Depending for identification purposes, the picture becomes even on the entity that owns and operates the airport, the more complex. Ownership of equipment also compli- PCI compliance that the airport is required to obtain cates matters, as sometimes the common use equip- can be confused by the greater organization's PCI ment is owned by an airline, or an airline consortium, compliance requirements. City-owned airports are a and other times it is owned by the airport operator. All prime example of this. Under a city-owned airport, of these stakeholders make a difficult situation, PCI the airport operator may be required to meet the compliance, even more difficult. overall PCI DSS program of the city, rather than cre- ate a PCI DSS policy for the airport. This can further complicate the relationship between the airport and Varieties of Operational Models the airlines, as the entire city PCI DSS policy/program To understand the complexities of common use may not support external entities. and the PCI, it is necessary to understand some of the Airline operations introduce additional chal- operating models that exist today. In all examples of lenges. Today, airlines use credit card data for iden- common use, the one common denominator is that the tity verification and data record location. This type equipment is capable of supporting multiple airline of transaction does not require payment processing. applications on a single set of hardware. Although Some of the credit card brands do not allow the use of the equipment is capable of this type of support, it is credit card data for any other purposes than payment not necessarily always the case that the common use transactions. This means that the current practice of equipment is used by multiple airlines. However, in using the credit card for identification purposes is not the cases where it is used by multiple airlines, the acceptable in a PCI DSS world. The challenge for ownership models can vary as well. One ownership the airlines is that they could use hardware that would example is the common local user board model, or only return the identification data, and ignore the rest CLUB. In this model, the airlines own the common of the data on Track 1 of the magnetic stripe, but if use equipment through a consortium of sorts, in which they did that, and then required payment later in the each airline has a vote and can determine the upgrade, transaction for additional services, the passenger replacement, and maintenance decisions of the equip- would have to present their credit card a second time. ment. Additionally, under the CLUB model, each air- There are many risks with this mode of operation, line can have its own maintenance contract with the including confusing the passenger because he or she common use solution provider. The airport itself may may think that the card was charged more than once. or may not be involved in a CLUB model. Another ownership model is one in which the air- Airport Considerations port owns the common use equipment and provides it as a service to the airlines. Under this model, the air- This issue has become so important that IATA port maintains the contract with the solution provider. has created a separate PCI working group for common The airport is responsible for maintenance, upgrades, use. As this document is being written, this working 22