ACI
ACI--NA NA -- October 11, 2009 October 11, 2009 -- AustinAustin
Common Use Systems
and PCI Compliance
Janice Southerland, CISSP, CISA SITA Compliance Program Manager
Discussion Points
•
PCI Compliance & Air Transport
Industry (ATI) Context
•
The Compliance Challenge
•
PCI Standards & Common Use
•
PCI Compliance Responsibilities
•
PCI Assessment Scope Discussion
PCI Compliance & Air Transport Industry
Context
PCI DSS is Global
– Applies to all entities that store, process and/or transmit cardholder data
Acquirers are responsible for merchants
– Who are responsible, in turn, for their service providers
Airports are Service Providers
– Airports and the infrastructure and systems they provide can be assessed against PCI DSS by a QSA and certified as compliant
– Visa will list the airport as a compliant service provider
– The scope of the assessment is defined by the environment the service provider is offering as the “service”
• Flights and ancillary services (e.g., sightseeing tours) • Online, call center, ticket
office, etc. Booking /
Reservation
Loyalty Programs
• Food and beverage • WiFi access fee • Lounge access, etc.. On-airport
dwell time services
• Passenger Identification • Buy upgrades
• Pay excess baggage, etc. Check-in
• Purchase Ground Transportation • Pay Parking
Arrival
On-board
• Duty Free
• Food and Refreshments
• On-board entertainment (e.g. movies)
• On-board communication
(e.g. telephone, internet access)
PCI and ATI Business Processes
Self Service
Common Use – A Compliance Challenge
Complex environment with multiple
players: airport, airline, platform vendor
Unique to the Air Transport Industry, so
no precedent to rely upon
Variety of operational models; there can
be multiple entities supporting various
components of the environment
PCI Standards and Common Use
PCI DSS
– All systems that store, process, or transmit cardholder data
– All relevant requirements including policies and procedures, physical security, audit log monitoring, etc.
– Shared platform, shared network services, and shared Core Room
PA-DSS (Payment Application)
– Applies to payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these applications are sold to third-parties
– Applications should be designed and implemented in compliance with PA-DSS, even if they are not intended to be certified
Airport Responsibilities
Service provider role in this environment… provides
services to merchants that control or could impact the
security of cardholder data
1
Support PCI compliance in a Common Use environment
– Segment the network to protect the cardholder environment and reduce assessment scope
– Ensure networks are configured and managed in a compliant manner
– Ensure airlines use only PCI compliant applications
– Adopt a validated “PCI Ready” Common Use platform, and ensure the platform is implemented and maintained per the vendor’s
validated PCI Implementation Guide
– Address other PCI DSS requirements such as quarterly PCI scans, logging and monitoring, and physical security controls
Airline Responsibilities
Merchant role in this environment… must ensure that
applications do not store track data and only store
necessary cardholder data
Support PCI compliance in a Common Use environment
– Ensure applications/TEs are PCI compliant
– Avoid the use of practices that will prevent the compliance of the airport
– Encourage airports to adopt a validated “PCI Ready” Common Use platform
Platform Vendor Responsibilities
Service provider role in this environment… ensure the
Common Use platform facilitates and does not prevent
an airport’s or airline’s PCI compliance
Support PCI compliance in a Common Use environment
– Offer a validated “PCI Ready” platform, with functionality such as: Patch management and anti-virus updates
Audit log management and file integrity monitoring Use of secure protocols
– Provide a QSA and card brand approved Implementation Guide that outlines how to install and maintain the platform in a PCI compliant manner
– Testing environment for applications
PCI Assessment Scope Discussion
Component
Airport
Airline
Platform
Vendor
Application
Platform
Network
Core Room
√
√
√
√
√
√
* Depends on contract; airport may outsource operational responsibility,
network management, etc. to the platform vendor
√
√
*
Scenario: airport-owned common use systems
√
ŦŦ
Discussion Questions
If an airline application that is not PCI compliant resides
on a Common Use platform owned by an airport, does it
impact the compliance status of:
– the platform?
– other airlines?
– the airport?
In airport locations where operational management of the
Common Use environment is shared between the airport
and the platform vendor, how do the actions of each
Backup
Materials
What Can Be PA-DSS certified?
Type of Payment Application
Does PA-DSS Apply?
“Off-the-shelf” standard payment
applications without much customization YES
Software developed in modules YES, applies to any module
with payment functions Software for only one, typically large,
customer, developed to customer’s specifications
NO, application is covered
as part of customer’s PCI DSS review
Software developed by merchant or
service provider, and used only in-house
NO, application is covered
as part of merchant’s or service provider’s PCI DSS review
Supporting systems, for example, operating systems, databases, back- office systems, firewalls, routers, etc.
NO, these are NOT
payment applications