Common Use Systems and PCI Compliance

Transcription

1 Common Use Systems and PCI Compliance Janice Southerland, CISSP, CISA SITA Compliance Program Manager ACI-NA - October 11, Austin

2 Discussion Points PCI Compliance & Air Transport Industry (ATI) Context The Compliance Challenge PCI Standards & Common Use PCI Compliance Responsibilities PCI Assessment Scope Discussion Discussion Questions ACI-NA - October 11, 2009 Austin 2 SITA proprietary and confidential information. SITA 2009 All rights reserved.

3 PCI Compliance & Air Transport Industry Context PCI DSS is Global Applies to all entities that store, process and/or transmit cardholder data Acquirers are responsible for merchants Who are responsible, in turn, for their service providers Airports are Service Providers Airports and the infrastructure and systems they provide can be assessed against PCI DSS by a QSA and certified as compliant Visa will list the airport as a compliant service provider The scope of the assessment is defined by the environment the service provider is offering as the service Source: Visa Europe; IATA CUSS Management Group Meeting, Feb 2009 ACI-NA - October 11, 2009 Austin 3 SITA proprietary and confidential information. SITA 2009 All rights reserved.

4 PCI and ATI Business Processes Booking / Reservation Flights and ancillary services (e.g., sightseeing tours) Online, call center, ticket office, etc. Check-in Passenger Identification Buy upgrades Pay excess baggage, etc. Self Service Kiosks Arrival Purchase Ground Transportation Pay Parking On-airport dwell time services Food and beverage WiFi access fee Lounge access, etc.. Duty Free On-board Food and Refreshments On-board entertainment (e.g. movies) On-board communication (e.g. telephone, internet access) Loyalty Programs ACI-NA - October 11, 2009 Austin 4 SITA proprietary and confidential information. SITA 2009 All rights reserved.

5 Common Use A Compliance Challenge Complex environment with multiple players: airport, airline, platform vendor Unique to the Air Transport Industry, so no precedent to rely upon Variety of operational models; there can be multiple entities supporting various components of the environment QSA opinions may vary by entity ACI-NA - October 11, 2009 Austin 5 SITA proprietary and confidential information. SITA 2009 All rights reserved.

6 PCI Standards and Common Use PCI DSS All systems that store, process, or transmit cardholder data All relevant requirements including policies and procedures, physical security, audit log monitoring, etc. Shared platform, shared network services, and shared Core Room PA-DSS (Payment Application) Applies to payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these applications are sold to third-parties Applications should be designed and implemented in compliance with PA-DSS, even if they are not intended to be certified ACI-NA - October 11, 2009 Austin 6 SITA proprietary and confidential information. SITA 2009 All rights reserved.

7 Airport Responsibilities Service provider role in this environment provides services to merchants that control or could impact the security of cardholder data 1 Support PCI compliance in a Common Use environment Source: 1 PCI DSS Segment the network to protect the cardholder environment and reduce assessment scope Ensure networks are configured and managed in a compliant manner Ensure airlines use only PCI compliant applications Adopt a validated PCI Ready Common Use platform, and ensure the platform is implemented and maintained per the vendor s validated PCI Implementation Guide Address other PCI DSS requirements such as quarterly PCI scans, logging and monitoring, and physical security controls ACI-NA - October 11, 2009 Austin 7 SITA proprietary and confidential information. SITA 2009 All rights reserved.

8 Airline Responsibilities Merchant role in this environment must ensure that applications do not store track data and only store necessary cardholder data Support PCI compliance in a Common Use environment Ensure applications/tes are PCI compliant Avoid the use of practices that will prevent the compliance of the airport Encourage airports to adopt a validated PCI Ready Common Use platform ACI-NA - October 11, 2009 Austin 8 SITA proprietary and confidential information. SITA 2009 All rights reserved.

9 Platform Vendor Responsibilities Service provider role in this environment ensure the Common Use platform facilitates and does not prevent an airport s or airline s PCI compliance Support PCI compliance in a Common Use environment Offer a validated PCI Ready platform, with functionality such as: Patch management and anti-virus updates Audit log management and file integrity monitoring Use of secure protocols Provide a QSA and card brand approved Implementation Guide that outlines how to install and maintain the platform in a PCI compliant manner Testing environment for applications Annual PCI recertification of the parent product ACI-NA - October 11, 2009 Austin 9 SITA proprietary and confidential information. SITA 2009 All rights reserved.

10 PCI Assessment Scope Discussion Scenario: airport-owned common use systems Component Airport Airline Application Platform Network Core Room Platform Vendor Ŧ * Ŧ Applies only to applications supplied by platform vendor * Depends on contract; airport may outsource operational responsibility, network management, etc. to the platform vendor ACI-NA - October 11, 2009 Austin 10 SITA proprietary and confidential information. SITA 2009 All rights reserved.

11 Discussion Questions If an airline application that is not PCI compliant resides on a Common Use platform owned by an airport, does it impact the compliance status of: the platform? other airlines? the airport? In airport locations where operational management of the Common Use environment is shared between the airport and the platform vendor, how do the actions of each entity impact the compliance of the other? ACI-NA - October 11, 2009 Austin 11 SITA proprietary and confidential information. SITA 2009 All rights reserved.

12 Backup Materials ACI-NA - October 11, 2009 Austin 12 SITA proprietary and confidential information. SITA 2009 All rights reserved.

13 What Can Be PA-DSS certified? Type of Payment Application Off-the-shelf standard payment applications without much customization Software developed in modules Software for only one, typically large, customer, developed to customer s specifications Software developed by merchant or service provider, and used only in-house Supporting systems, for example, operating systems, databases, backoffice systems, firewalls, routers, etc. Does PA-DSS Apply? YES YES, applies to any module with payment functions NO, application is covered as part of customer s PCI DSS review NO, application is covered as part of merchant s or service provider s PCI DSS review NO, these are NOT payment applications Source: PCI PA-DSS ACI-NA - October 11, 2009 Austin 13 SITA proprietary and confidential information. SITA 2009 All rights reserved.