• No results found

Common Use Systems and PCI Compliance

N/A
N/A
Protected

Academic year: 2021

Share "Common Use Systems and PCI Compliance"

Copied!
13
0
0

Loading.... (view fulltext now)

Full text

(1)

ACI

ACI--NA NA -- October 11, 2009 October 11, 2009 -- AustinAustin

Common Use Systems

and PCI Compliance

Janice Southerland, CISSP, CISA SITA Compliance Program Manager

(2)

Discussion Points

PCI Compliance & Air Transport

Industry (ATI) Context

The Compliance Challenge

PCI Standards & Common Use

PCI Compliance Responsibilities

PCI Assessment Scope Discussion

(3)

PCI Compliance & Air Transport Industry

Context

„

PCI DSS is Global

– Applies to all entities that store, process and/or transmit cardholder data

„

Acquirers are responsible for merchants

– Who are responsible, in turn, for their service providers „

Airports are Service Providers

– Airports and the infrastructure and systems they provide can be assessed against PCI DSS by a QSA and certified as compliant

– Visa will list the airport as a compliant service provider

– The scope of the assessment is defined by the environment the service provider is offering as the “service”

(4)

• Flights and ancillary services (e.g., sightseeing tours) • Online, call center, ticket

office, etc. Booking /

Reservation

Loyalty Programs

• Food and beverage • WiFi access fee • Lounge access, etc.. On-airport

dwell time services

• Passenger Identification • Buy upgrades

• Pay excess baggage, etc. Check-in

• Purchase Ground Transportation • Pay Parking

Arrival

On-board

Duty Free

• Food and Refreshments

• On-board entertainment (e.g. movies)

• On-board communication

(e.g. telephone, internet access)

PCI and ATI Business Processes

Self Service

(5)

Common Use – A Compliance Challenge

Complex environment with multiple

players: airport, airline, platform vendor

Unique to the Air Transport Industry, so

no precedent to rely upon

Variety of operational models; there can

be multiple entities supporting various

components of the environment

(6)

PCI Standards and Common Use

„

PCI DSS

– All systems that store, process, or transmit cardholder data

– All relevant requirements including policies and procedures, physical security, audit log monitoring, etc.

– Shared platform, shared network services, and shared Core Room

„

PA-DSS (Payment Application)

– Applies to payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these applications are sold to third-parties

– Applications should be designed and implemented in compliance with PA-DSS, even if they are not intended to be certified

(7)

Airport Responsibilities

„

Service provider role in this environment… provides

services to merchants that control or could impact the

security of cardholder data

1

„

Support PCI compliance in a Common Use environment

– Segment the network to protect the cardholder environment and reduce assessment scope

– Ensure networks are configured and managed in a compliant manner

– Ensure airlines use only PCI compliant applications

– Adopt a validated “PCI Ready” Common Use platform, and ensure the platform is implemented and maintained per the vendor’s

validated PCI Implementation Guide

– Address other PCI DSS requirements such as quarterly PCI scans, logging and monitoring, and physical security controls

(8)

Airline Responsibilities

„

Merchant role in this environment… must ensure that

applications do not store track data and only store

necessary cardholder data

„

Support PCI compliance in a Common Use environment

– Ensure applications/TEs are PCI compliant

– Avoid the use of practices that will prevent the compliance of the airport

– Encourage airports to adopt a validated “PCI Ready” Common Use platform

(9)

Platform Vendor Responsibilities

ƒ

Service provider role in this environment… ensure the

Common Use platform facilitates and does not prevent

an airport’s or airline’s PCI compliance

„

Support PCI compliance in a Common Use environment

– Offer a validated “PCI Ready” platform, with functionality such as: ƒ Patch management and anti-virus updates

ƒ Audit log management and file integrity monitoring ƒ Use of secure protocols

– Provide a QSA and card brand approved Implementation Guide that outlines how to install and maintain the platform in a PCI compliant manner

– Testing environment for applications

(10)

PCI Assessment Scope Discussion

Component

Airport

Airline

Platform

Vendor

Application

Platform

Network

Core Room

* Depends on contract; airport may outsource operational responsibility,

network management, etc. to the platform vendor

*

Scenario: airport-owned common use systems

Ŧ

Ŧ

(11)

Discussion Questions

„

If an airline application that is not PCI compliant resides

on a Common Use platform owned by an airport, does it

impact the compliance status of:

– the platform?

– other airlines?

– the airport?

„

In airport locations where operational management of the

Common Use environment is shared between the airport

and the platform vendor, how do the actions of each

(12)

Backup

Materials

(13)

What Can Be PA-DSS certified?

Type of Payment Application

Does PA-DSS Apply?

“Off-the-shelf” standard payment

applications without much customization YES

Software developed in modules YES, applies to any module

with payment functions Software for only one, typically large,

customer, developed to customer’s specifications

NO, application is covered

as part of customer’s PCI DSS review

Software developed by merchant or

service provider, and used only in-house

NO, application is covered

as part of merchant’s or service provider’s PCI DSS review

Supporting systems, for example, operating systems, databases, back- office systems, firewalls, routers, etc.

NO, these are NOT

payment applications

References

Related documents

Level 1 merchants and any organization with a previous security breach must undergo an on-site compliance audit by a PCI approved Qualified Security Assessor (QSA) Level 2, 3 and

because it does not require full credit card information to process payments through the Payment Module, which is included with SE 7.1.. • More information can be obtained by

Vulnerability Management QG VM 6.10 PCI Compliance QG PCI 3.0 (with WAS) Policy Compliance QG PC 2.0 Other Security and Compliance Applications SCAP Compliance Service QG SCAP

The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations. By

efficient and practical services in our rural area. The following are examples of SVCHC's QIP client-centered, integrated partnerships: 1) SVCHC has been working with

Water consumption for 2007 15 GL Tarago Reconnection 75 GL Sugarloaf Interconnector 15 GL New Water for Environmental Flows 42 GL Rollout of Rainwater Tanks in 5% of suitable homes

Standards, many questions are being raised: “How will this technology affect my PCI compliance?”; “What new concerns need to be addressed to ensure continued PCI compliance?”;

to protect cardholder data compliance status Card Brands Acquirers Card brands have contracts ith b k Service Providers with banks requiring them to ensure their merchants are