Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 21
be required. One area that was brought up by PCI IN COMMON USE
airports currently in PCI DSS programs was
that of the parking revenue control system. Complex Environment
These systems may have been in operation In airport environments, "common use" is a term
for an extended time and potentially have been used for equipment that is used by multiple air car-
in operation prior to many of the PCI DSS com- riers to conduct the business of processing passen-
pliance requirements being formalized or to gers. This equipment could be agent-facing, known
the deadlines imposed. The cost of building as common use terminal equipment (CUTE) and now
requirements, procuring a new system, testing, common use passenger processing systems (CUPPS),
and implementing are not to be underestimated. as well as passenger-facing, known as CUSS kiosks.
If a system has been developed in-house and While the overall focus of the equipment is a bit
is going to be modified, the security require- different from a technical perspective, the issues
ments defined in the PCI DSS are in scope of with respect to PCI between the agent-facing and
the program. passenger-facing common use entities are similar.
· Network security implementations or enhance- This document will highlight where differences in
ments--the cost considerations for network the two types of processing occur.
upgrades, firewall installation, encryption capa- All of the specifications, recommended practices,
bilities, and segregation will include resources, and processes are created as industry standards and
either in-house or contracted, in addition to are based on recommended practices that are pub-
network management and administration soft- lished by IATA. The specifications generally describe
ware. Additional hardware may also be re-
the standards and interfaces that allow multiple air-
quired to bring resolution for meeting failed
line applications to operate on a single platform and a
requirements.
· common set of hardware. The working groups, which
Physical access to rooms, file cabinets, and
desks--to achieve compliance, it may be nec- are responsible for the recommended practices, are
essary to install locks or access systems to se- currently investigating the impacts of PCI and how
cure cardholder data. Depending on the system these systems can comply with PCI. The credit card
incorporated to meet compliance, the system industry, through this investigative activity, is becom-
could include key lock hardware and key con- ing aware of the uniqueness of the airport/airline re-
trol administration, a key card system with key lationship and of the relationship between multiple
card readers and locks with system administra- merchants in a common use environment.
tion for managing card distribution and security
access maintenance. In some cases, depending Uniqueness to Air Transport Industry
on what an airport currently utilizes, an exten-
sion of an existing system may be required. Common use creates a nexus between the airport,
· Process and policy development--as modi- the airlines operating at that airport, and the vendors
fications are made to systems, the processes who provide common use solutions for common use
required to manage the security may need to be practices. While many other IT systems that the
developed or modified as well. Process changes airport manages and operates are primarily airport
may be required on the basis of new policies owned, or owned via contracts with vendors who sup-
that need to be implemented. These tasks also ply the systems, common use adds the element of air-
require resources, and the cost should be ap- lines operating on a common hardware platform. This
plied to the remediation costs. common hardware platform allows multiple airlines
· Resource additions for ongoing policy, proce- to share IT equipment, but the IT equipment connects
dures, and administration--to ensure contin- to the individual airline host systems through the use
ued compliance, the remediation actions may of network technology. Common use from a PCI per-
require either a reallocation of current resources spective allows airlines to share common card reading
to take on the responsibilities of the new security equipment. This becomes the main challenge in the
procedures or possibly the addition of resources common use airport when considering the PCI-DSS.
to manage the tasks. These resources may be Each stakeholder in this relationship--airport,
secured through third-party vendors or through airline, and vendor--has responsibility for PCI certi-
new hires. fication of the common use system. Airlines, as the
21
OCR for page 22
merchants, are responsible for meeting merchant re- and support contracts for the system. The airlines
quirements of PCI DSS. Airports, as service providers, are responsible for certifying their software on the
are at the very least responsible for meeting the service selected platform for the airport.
provider requirements of the PCI DSS. Vendors have Variations and complications can exist under
a responsibility to provide PCI DSS ready equipment both of the above-described models. One such com-
and services. With so many stakeholders, the path to plication occurs when the airport operator provides
PCI certification is far from straightforward. the network services from the demarcation point on
The credit card brands have consistently stated the airport to the end devices, thus acting as a trans-
that the air transport industry is unique when it comes port service, or a service provider. This type of model
to common use. In their experience, there has not been presents a unique challenge to the airlines when they
another example in which multiple merchants share are pursuing their PCI compliance, because if the
the same credit card processing equipment. Because airport is not able to obtain PCI certification, the air-
of this cross-utilization of card processing equipment, line does not have the opportunity to find another
it is difficult to obtain PCI certification. Add to that network provider.
the fact that passenger-facing self-service kiosks now Another complication is the governance, owner-
use credit cards for payment transactions, as well as ship, or management of the airport itself. Depending
for identification purposes, the picture becomes even on the entity that owns and operates the airport, the
more complex. Ownership of equipment also compli- PCI compliance that the airport is required to obtain
cates matters, as sometimes the common use equip- can be confused by the greater organization's PCI
ment is owned by an airline, or an airline consortium, compliance requirements. City-owned airports are a
and other times it is owned by the airport operator. All prime example of this. Under a city-owned airport,
of these stakeholders make a difficult situation, PCI the airport operator may be required to meet the
compliance, even more difficult. overall PCI DSS program of the city, rather than cre-
ate a PCI DSS policy for the airport. This can further
complicate the relationship between the airport and
Varieties of Operational Models
the airlines, as the entire city PCI DSS policy/program
To understand the complexities of common use may not support external entities.
and the PCI, it is necessary to understand some of the Airline operations introduce additional chal-
operating models that exist today. In all examples of lenges. Today, airlines use credit card data for iden-
common use, the one common denominator is that the tity verification and data record location. This type
equipment is capable of supporting multiple airline of transaction does not require payment processing.
applications on a single set of hardware. Although Some of the credit card brands do not allow the use of
the equipment is capable of this type of support, it is credit card data for any other purposes than payment
not necessarily always the case that the common use transactions. This means that the current practice of
equipment is used by multiple airlines. However, in using the credit card for identification purposes is not
the cases where it is used by multiple airlines, the acceptable in a PCI DSS world. The challenge for
ownership models can vary as well. One ownership the airlines is that they could use hardware that would
example is the common local user board model, or only return the identification data, and ignore the rest
CLUB. In this model, the airlines own the common of the data on Track 1 of the magnetic stripe, but if
use equipment through a consortium of sorts, in which they did that, and then required payment later in the
each airline has a vote and can determine the upgrade, transaction for additional services, the passenger
replacement, and maintenance decisions of the equip- would have to present their credit card a second time.
ment. Additionally, under the CLUB model, each air- There are many risks with this mode of operation,
line can have its own maintenance contract with the including confusing the passenger because he or she
common use solution provider. The airport itself may may think that the card was charged more than once.
or may not be involved in a CLUB model.
Another ownership model is one in which the air-
Airport Considerations
port owns the common use equipment and provides it
as a service to the airlines. Under this model, the air- This issue has become so important that IATA
port maintains the contract with the solution provider. has created a separate PCI working group for common
The airport is responsible for maintenance, upgrades, use. As this document is being written, this working
22
