Common Use Systems and PCI Compliance

Similar documents
A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Point Secure Commerce Application (SCA) 2.x PCI PA-DSS Out of Scope White Paper

Payment Card Industry (PCI) Data Security Standard

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

PCI Compliance Top 10 Questions and Answers

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Payment Card Industry (PCI) Data Security Standard

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

PCI Compliance. Top 10 Questions & Answers

Josiah Wilkinson Internal Security Assessor. Nationwide

Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Becoming PCI Compliant

Your Compliance Classification Level and What it Means

Payment Card Industry (PCI) Data Security Standard

CITY OF CORONA RFP SB. ADDENDUM No. 2

PCI DATA SECURITY STANDARD OVERVIEW

Network Segmentation

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Payment Card Industry (PCI) Data Security Standard

How To Protect Your Data From Being Stolen

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

How To Protect Your Credit Card Information From Being Stolen

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

A Compliance Overview for the Payment Card Industry (PCI)

The PCI DSS Compliance Guide For Small Business

PCI DSS and SSC what are these?

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Section 1: Assessment Information

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

PAI Secure Program Guide

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry (PCI) Data Security Standard

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

How To Protect Your Business From A Hacker Attack

How To Ensure Account Information Security

Payment Card Industry (PCI) Data Security Standard

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Payment Card Industry Data Security Standards

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.

Data Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :

PCI DSS Gap Analysis Briefing

Payment Card Industry Compliance

PCI Requirements Coverage Summary Table

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Achieving Compliance with the PCI Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

PCI Data Security Standards

PCI PA-DSS Requirements. For hardware vendors

Payment Card Industry (PCI) Data Security Standard

Western Australian Auditor General s Report. Information Systems Audit Report

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

PCI Compliance Training

Why Is Compliance with PCI DSS Important?

Payment Card Industry (PCI) Data Security Standard

North Carolina Office of the State Controller Technology Meeting

Payment Card Industry (PCI) Data Security Standard

A Rackspace White Paper Spring 2010

HOW SECURE IS YOUR PAYMENT CARD DATA?

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Credit Card Processing Overview

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

How To Program A Credit Card Terminal To Be A Pca Compliant (Cpo) Or Not (Pca) Compliant (Dns) (Cisp) (Dhs) (Pci) (Susu) (Usu/

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

A PCI Journey with Wichita State University

An article on PCI Compliance for the Not-For-Profit Sector

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Client Security Risk Assessment Questionnaire

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI DSS Presentation University of Cincinnati

Payment Card Industry (PCI) Data Security Standard

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

PCI Requirements Coverage Summary Table

Transcription:

Common Use Systems and PCI Compliance Janice Southerland, CISSP, CISA SITA Compliance Program Manager ACI-NA - October 11, 2009 - Austin

Discussion Points PCI Compliance & Air Transport Industry (ATI) Context The Compliance Challenge PCI Standards & Common Use PCI Compliance Responsibilities PCI Assessment Scope Discussion Discussion Questions ACI-NA - October 11, 2009 Austin 2 SITA proprietary and confidential information. SITA 2009 All rights reserved.

PCI Compliance & Air Transport Industry Context PCI DSS is Global Applies to all entities that store, process and/or transmit cardholder data Acquirers are responsible for merchants Who are responsible, in turn, for their service providers Airports are Service Providers Airports and the infrastructure and systems they provide can be assessed against PCI DSS by a QSA and certified as compliant Visa will list the airport as a compliant service provider The scope of the assessment is defined by the environment the service provider is offering as the service Source: Visa Europe; IATA CUSS Management Group Meeting, Feb 2009 ACI-NA - October 11, 2009 Austin 3 SITA proprietary and confidential information. SITA 2009 All rights reserved.

PCI and ATI Business Processes Booking / Reservation Flights and ancillary services (e.g., sightseeing tours) Online, call center, ticket office, etc. Check-in Passenger Identification Buy upgrades Pay excess baggage, etc. Self Service Kiosks Arrival Purchase Ground Transportation Pay Parking On-airport dwell time services Food and beverage WiFi access fee Lounge access, etc.. Duty Free On-board Food and Refreshments On-board entertainment (e.g. movies) On-board communication (e.g. telephone, internet access) Loyalty Programs ACI-NA - October 11, 2009 Austin 4 SITA proprietary and confidential information. SITA 2009 All rights reserved.

Common Use A Compliance Challenge Complex environment with multiple players: airport, airline, platform vendor Unique to the Air Transport Industry, so no precedent to rely upon Variety of operational models; there can be multiple entities supporting various components of the environment QSA opinions may vary by entity ACI-NA - October 11, 2009 Austin 5 SITA proprietary and confidential information. SITA 2009 All rights reserved.

PCI Standards and Common Use PCI DSS All systems that store, process, or transmit cardholder data All relevant requirements including policies and procedures, physical security, audit log monitoring, etc. Shared platform, shared network services, and shared Core Room PA-DSS (Payment Application) Applies to payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these applications are sold to third-parties Applications should be designed and implemented in compliance with PA-DSS, even if they are not intended to be certified ACI-NA - October 11, 2009 Austin 6 SITA proprietary and confidential information. SITA 2009 All rights reserved.

Airport Responsibilities Service provider role in this environment provides services to merchants that control or could impact the security of cardholder data 1 Support PCI compliance in a Common Use environment Source: 1 PCI DSS Segment the network to protect the cardholder environment and reduce assessment scope Ensure networks are configured and managed in a compliant manner Ensure airlines use only PCI compliant applications Adopt a validated PCI Ready Common Use platform, and ensure the platform is implemented and maintained per the vendor s validated PCI Implementation Guide Address other PCI DSS requirements such as quarterly PCI scans, logging and monitoring, and physical security controls ACI-NA - October 11, 2009 Austin 7 SITA proprietary and confidential information. SITA 2009 All rights reserved.

Airline Responsibilities Merchant role in this environment must ensure that applications do not store track data and only store necessary cardholder data Support PCI compliance in a Common Use environment Ensure applications/tes are PCI compliant Avoid the use of practices that will prevent the compliance of the airport Encourage airports to adopt a validated PCI Ready Common Use platform ACI-NA - October 11, 2009 Austin 8 SITA proprietary and confidential information. SITA 2009 All rights reserved.

Platform Vendor Responsibilities Service provider role in this environment ensure the Common Use platform facilitates and does not prevent an airport s or airline s PCI compliance Support PCI compliance in a Common Use environment Offer a validated PCI Ready platform, with functionality such as: Patch management and anti-virus updates Audit log management and file integrity monitoring Use of secure protocols Provide a QSA and card brand approved Implementation Guide that outlines how to install and maintain the platform in a PCI compliant manner Testing environment for applications Annual PCI recertification of the parent product ACI-NA - October 11, 2009 Austin 9 SITA proprietary and confidential information. SITA 2009 All rights reserved.

PCI Assessment Scope Discussion Scenario: airport-owned common use systems Component Airport Airline Application Platform Network Core Room Platform Vendor Ŧ * Ŧ Applies only to applications supplied by platform vendor * Depends on contract; airport may outsource operational responsibility, network management, etc. to the platform vendor ACI-NA - October 11, 2009 Austin 10 SITA proprietary and confidential information. SITA 2009 All rights reserved.

Discussion Questions If an airline application that is not PCI compliant resides on a Common Use platform owned by an airport, does it impact the compliance status of: the platform? other airlines? the airport? In airport locations where operational management of the Common Use environment is shared between the airport and the platform vendor, how do the actions of each entity impact the compliance of the other? ACI-NA - October 11, 2009 Austin 11 SITA proprietary and confidential information. SITA 2009 All rights reserved.

Backup Materials ACI-NA - October 11, 2009 Austin 12 SITA proprietary and confidential information. SITA 2009 All rights reserved.

What Can Be PA-DSS certified? Type of Payment Application Off-the-shelf standard payment applications without much customization Software developed in modules Software for only one, typically large, customer, developed to customer s specifications Software developed by merchant or service provider, and used only in-house Supporting systems, for example, operating systems, databases, backoffice systems, firewalls, routers, etc. Does PA-DSS Apply? YES YES, applies to any module with payment functions NO, application is covered as part of customer s PCI DSS review NO, application is covered as part of merchant s or service provider s PCI DSS review NO, these are NOT payment applications Source: PCI PA-DSS ACI-NA - October 11, 2009 Austin 13 SITA proprietary and confidential information. SITA 2009 All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information