Click for next page ( 25

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement

Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 24
Table 4 PCI responsibility questions. Description Owned by } Category 1: Card Data--Capture Method Airport? CUSS Kiosk Yes/No POS Terminal Yes/No Internet Website Yes/No "Yes" answer for any item = `Y" for Application Input Yes/No Category 1 Manually Written Yes/No Receipt from External System Yes/No } Category 2: Card Data--Processing Airport? Card Data Stored (Database) Yes/No Card Data Processed (Application) Yes/No "Yes" answer for any item = `Y" for Paper Stored (File Cabinets, Desk Drawers, etc.) Yes/No Category 2 Reporting Output Yes/No } Category 3: Card Data--Transmit Airport? Local Area Network (LAN) Yes/No Wide Area Network (WAN) Yes/No Private Network: Virtual Private Network (VPN) Yes/No "Yes" answer for any item = `Y" for or Electronic Payments Network (EPN) Category 3 Intranet Yes/No Demilitarized Zone (DMZ) Yes/No 1. Are there any methods in the airport for which tronically, if the payment card data travels payment card data is captured? across any portion of the airport-owned infra- This category determines whether the airport structure, the network or networks involved owns the equipment or uses a method in which must comply with data security standards. If payment card data is captured. The methods the answer to any of the items is "Yes," then listed need to be applied broadly in answer- the answer for Category 3 is "Yes." ing the question. For example, the Application Table 5 provides an indication, on the basis of the Input question would apply to internal airport answers to Table 4, as to where the airport must con- business applications, passenger-facing ap- sider compliance initiatives. If an airport captures plications, web-enabled applications, and so payment card data and does not store or process it, but on. If the answer to any of the methods is does transmit the data, then network security compli- "Yes," then the answer for Category 1 should ance requirements would be the focus. Otherwise, an be "Yes." airport will need to consider all aspects in complying 2. Are there any areas in which payment card with the DSS. In the rare situation that an airport does data is processed? not capture payment card data in any fashion, includ- Processing cardholder data includes situations ing handwritten or hardcopy, and, therefore, does not in which the data, upon capture, is held tem- store or transmit payment card data, only then would porarily and used to create other data (e.g., the PCI DSS not apply. passenger identification number) or used for decisioning processes. Any "Yes" answers in this category renders the category as a "Yes" NEXT STEPS--FUTURE RESEARCH answer for the next step. Any physically hand- The research into the PCI DSS highlights several written processes or report output processes areas of recommended future research. These areas should not be overlooked. include: 3. Are there any processes in which payment card data is transmitted across the airport net- 1. Clearly identify and delineate the roles and work or networks? Even if the airport does not responsibilities of airlines, airports, and solu- store or process any payment card data elec- tion providers with respect to the PCI DSS. It 24

OCR for page 24
Table 5 PCI responsibility result. PCI DSS Compliance Cat. 1 Cat. 2 Cat. 3 Required? PCI DSS Compliance Focus Y Y N Y Systems, Network, and any Physical Storage Y N Y Y Network Y Y Y Y Systems, Network, and any Physical Storage N N N N N/A NOTE: Based on the responses to the three questions from Table 4, the combinations of answers above represent the four possible outcomes that result in the need (or lack thereof) for PCI DSS compliance and where the compliance effort will be required. Other combinations of answers would not be logical because data cannot be processed or transmitted if it is not captured, nor would data be captured if it isn't going to be processed or transmitted. (Cat. = category.) is clear from the research that the parties in the the nuances of the PCI. Understanding the dif- PCI DSS value chain are not always aware of ferences between PCI DSS, PA DSS, and the their PCI DSS responsibilities. In addition, it other data standards is critical to the success of is clear that there is not a great understanding a PCI program. Additionally, an understand- as to where the liability lies for each entity. ing of the auditing process, the difference be- The entities involved in PCI DSS applications, tween PCI ready, and PCI certified, and all of systems, and data transport need to be identi- the other terminologies and documentation that fied, and research is necessary to define the are available for PCI is needed for airports to process by which the industry can identify de- meet their requirements. lineations of responsibility. 5. Identify roles and responsibilities. While the 2. Further define the guidance for airports. The PCI DSS is mainly considered an IT problem, PCI has created a list of six objectives. Further there are other disciplines and roles within the research is needed to present additional tips airport that have compliance responsibilities. and guidance with respect to the 12 require- 6. Create a PCI guide for shared resources. ments of these objectives. One of the unique elements in the aviation in- 3. Work with the PCI-Council to identify the avi- dustry is the use of shared resources. This in- ation industry and solutions for the PCI DSS. cludes shared infrastructure, as well as shared All research indicates that the PCI-Council credit card processing equipment running does not yet understand the aviation industry. airline-specific applications (common use). Some contacts within the payment card brands Research needs to be conducted to create have stated that they understand the airlines, specific guidance for shared resources. IATA but not the airports, nor do they understand the is currently overseeing a working group that role that airports play in the PCI DSS. is looking into this guidance specifically for 4. Create a PCI handbook for airports. PCI is CUSS, and ultimately for CUPPS, but other more than the DSS, and airports need a more shared services are not currently included in detailed document that helps them understand this working group. 25