Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 23
group is attempting to define how to meet the PCI the platform cannot be identified as PCI compliant. standards in a common use world. The first focus is This is due mainly to the fact that PCI compliance is on passenger self service, but the solution for pas- dependent on the network, the software, and any ap- senger self service should be able to be applied to the plications that may interact with credit card data. Since agent-facing common use systems as well. It is not the platforms are installed at airports with different the intent of this document to prescribe a solution, network configurations, and with different airlines, it but rather to identify the current state of the PCI DSS is impossible to provide a PCI-certified label to a com- in the industry. The PCI working group will work mon use platform. Some common use providers have toward a solution that meets the requirements of the taken to calling their tested products as PCI ready. card brands. This is meant to indicate that if they are installed on While not in use in the United States today, Chip a proper network, and with proper applications, they and PIN systems present a unique challenge for com- would be able to pass PCI certification testing. While mon use. Unlike a magnetic stripe on a payment card PCI ready is a nice start to identifying PCI compli- where a signature is required to authorize the trans- ancy, it is really not worth a lot in this environment action, the Chip and PIN technology is based on an simply because of all of the other variables involved. imbedded chip in the card. The information within Any PCI certification that involves common use the imbedded chip can only be activated by the asso- will require coordination between all parties. The ciated PIN of the card owner. Even if the hardware platform suppliers would do well to ensure that their today can be designed to process multiple merchants platforms could pass PCI certification and therefore through multiple processing agents, the Chip and provide a PCI-ready platform. The airports will need PIN solutions are pre-programmed in their chipsets to complete a PCI audit and remediate any shortcom- to one specific processing agent. In a common use ings identified. And the airlines will need to complete world, this would mean that all Chip and PIN trans- their PCI audit and remediation in order to com- actions would have to go through one centralized pro- plete the PCI certification process. When all of these cessing agent. Since Chip and PIN is not in use in the elements come together, the success, or failure, of a United States today, it is very difficult to describe a PCI certification process will be identified. solution for this issue. The use of CUSS kiosks for passenger process- RESPONSIBILITY MATRIX ing presents an additional variable to consider. In CUSS, the kiosk platform may also be supported by Basic Airport Responsibility a vendor, so the vendor must certify the hardware The responsibilities for PCI DSS security within platform, the air carrier must certify the check-in an airport will vary from airport to airport depend- software, the airport might also have some software ing on the operational methods and structure for to certify depending on the implementation, and the payment card transactions for that specific airport. airport might also be providing the network service. In general, the airport will need to ensure that data Such a scenario requires a collaborative effort between security standards are in place and that compliance the airport, vendor, and airlines due to the mutual can be assessed and validated for systems and ap- dependency to achieve PCI DSS compliance. Com- plications, for the network(s), and for the physical mon use system vendors may consider their appli- locations of digital or hardcopy cardholder data. cations as PCI DSS compliant "ready," however, Table 4 provides a guide for determining if an depending on how the system is installed and the in- airport needs to address PCI DSS compliance at frastructure configured, the system may be rendered their facility. Depending on the answers to these non-compliant. PCI compliant ready does not trans- questions, a minimal determination can be made as late automatically as PCI DSS compliant. to whether an airport must indeed address PCI DSS Platform suppliers have started working with PCI compliance and initiate a program to meet those re- QSAs to determine if their platforms can meet the quirements as they apply to the airport's situation. PCI DSS. The QSAs meet with the platform suppli- Table 4 addresses three categories of awareness ers, conduct audits, and identify any shortcomings for an airport to consider for PCI DSS compliance. with the platform supplier's solution. These short- The three categories of questions to be answered comings must be addressed before the audit can be are "do you capture card data?" "do you process the completed. Once the audit is completed and passed, data?" and "do you transmit the data?" 23