Helping Airports Understand the Payment Card Industry Data Security Standard (PCI DSS) (2010) / Chapter Skim
Currently Skimming:
Pages 1-32
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 1... ...
The entire PCI DSS presents some ambiguity not only to all businesses and organizations employing the use of payment cards, but also particularly to airports and the business of airport operations. Airports present a unique situation in which airport systems and infrastructure must connect and operate with the following: • Airline tenants using gates and ticket counters and, thus, airport networks at a minimum; • Self-service kiosks for passenger processing; • Common use equipment used by multiple airlines/merchants; • Airport business tenants using space (and possibly airport services)
|
From page 2... ...
" situation. The research conducted for this project found that card brands consider PCI DSS requirements as applicable to all businesses or organizations that conduct business using payment cards or cardholder data in their process(es)
|
From page 3... ...
Payment card application development. Airport businesses would fall into the first category of standards, the DSS that has been established as a common set of requirements to protect cardholder data when transactions involve technological means to complete the process described above.
|
From page 4... ...
They may act as a merchant by accepting payment cards to receive payment and/or as a service provider when their network or applications are utilized for the purpose of storing, processing, or transmitting cardholder data, while not being the receiver of payment for goods or services. According to the PCI Compliance Guide, for the purpose of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of the PCI-Council as payment for goods and/or services (3)
|
From page 5... ...
An organization using a payment card of any of the card brands to conduct business operations must provide evidence, through the validation requirements, that PCI DSS compliance has been met. The validation requirements are based on varying situations.
|
From page 6... ...
The aviation administration will need to work closely with the technology division to modify and implement process changes or new process introductions in order to achieve compliance acceptance. Fiscal Division The fiscal division is also a key stakeholder in PCI DSS compliance.
|
From page 7... ...
PCI COMPLIANCE Compliance Requirements Payment Card and Data The International Organization for Standardization (ISO) presents the standards for the characteristics of payment cards, including the physical size, how they are to be embossed, the characteristics of the magnetic stripe, and the location of the tracks of data included on the magnetic stripe.
|
From page 8... ...
. PCI DSS Requirements The PCI DSS is established as a set of objectives and requirements for any organization using payment card(s)
|
From page 9... ...
OBJECTIVE 6: MAINTAIN A SECURITY POLICY Requirement 12: Maintain a policy that addresses information security for employees and contractors. • Implement and maintain policies and procedures to manage service providers if the airport shares cardholder data with service providers.
|
From page 10... ...
Business / Organization (Airport) Merchant Service Provider Payment Card Brand PCI DSS Level Criteria Validation Method / Requirement The Business, dependent on the use of Payment Cards or touch-points of cardholder data, is responsible to meet PCI DSS compliance.
|
From page 11... ...
Compliance validation requirements set by Acquirer Table 2b Criteria for merchant-level assignment: MasterCard. Level Criteria Validation Requirements 1 2 3 4 SOURCE: Reference 9.
|
From page 12... ...
Level Criteria Validation Requirements 1 2 3 SOURCE: Reference 10. Merchants processing over 2.5 million American Express transactions annually or any Merchant that American Express otherwise deems a Level 1 Merchants processing 50,000 to 2.5 million American Express transactions annually or any Merchant that American Express deems Level 2 Merchants processing less than 50,000 American Express transactions annually 1.
|
From page 13... ...
Annual on-site review by QSA-PCI DSS Assessment B Annual Self Assessment Questionnaire Table 3d Criteria for service provider-level assignment: AMEX.
|
From page 14... ...
The various preparation tasks should include: • Documentation and Information -- all information that could be utilized in presenting the various PCI DSS compliance aspects of the business should be collected and organized in a structure that will allow proper access and be readily available for an auditor or audit team. The information should be directly related to the intent to provide requirement compliance.
|
From page 15... ...
Self-Assessment Questionnaire The SAQ serves merchants and service providers in multiple ways. One way is that it can be used to conduct a self-evaluation on an entity to assess where the organization is in regard to PCI DSS compliance requirements and to provide visibility as to where deficiencies may exist.
|
From page 16... ...
In addition to data transmission across the network, the use of payment card data for any processing within airport operations creates the need to address data security compliance. If the data is stored, even temporarily, in a database or if further processing is conducted on the data either prior to transmission or upon a receiving transmission, then a database touch-point can be acknowledged and the PCI DSS compliance requirements relating to secure systems, applications, and data access would need to be assessed.
|
From page 17... ...
Airport Operations Business Processes Normal airport business requires payables that could also be susceptible to the PCI DSS should payment cards be utilized to initiate the payment transaction. Payments made using direct bank access (non-card brand debit cards, paper checks, etc.)
|
From page 18... ...
Airports responding to the research team interviews reported that the scope of systems in their current or planned PCI DSS compliance program included: • Common use systems, • Parking revenue control systems, • Commercial vehicle management, • Network, • POS applications, and • Any system involving payment card data. Each airport must consider its business systems as unique and should investigate applications or systems in which payment card data is stored, processed, or transmitted, and include them in the program scope.
|
From page 19... ...
However, this could lead to the need for additional resources, which may conflict with budgets and staff size. Requirements The 12 requirements established for PCI DSS compliance apply to all businesses, organizations, or service providers for which payment card data is stored, processed, and transmitted.
|
From page 20... ...
The required annual or quarterly ongoing tests should also be included in time budget planning. Cost Similar to the time investment, the costs associated with a PCI DSS compliance program are varied as well.
|
From page 21... ...
These systems may have been in operation for an extended time and potentially have been in operation prior to many of the PCI DSS compliance requirements being formalized or to the deadlines imposed. The cost of building requirements, procuring a new system, testing, and implementing are not to be underestimated.
|
From page 22... ...
This type of transaction does not require payment processing. Some of the credit card brands do not allow the use of credit card data for any other purposes than payment transactions.
|
From page 23... ...
When all of these elements come together, the success, or failure, of a PCI certification process will be identified. RESPONSIBILITY MATRIX Basic Airport Responsibility The responsibilities for PCI DSS security within an airport will vary from airport to airport depending on the operational methods and structure for payment card transactions for that specific airport.
|
From page 24... ...
Are there any areas in which payment card data is processed? Processing cardholder data includes situations in which the data, upon capture, is held temporarily and used to create other data (e.g., passenger identification number)
|
From page 25... ...
All research indicates that the PCI-Council does not yet understand the aviation industry. Some contacts within the payment card brands have stated that they understand the airlines, but not the airports, nor do they understand the role that airports play in the PCI DSS.
|
From page 26... ...
1 1 "%" character indicating the beginning of the data in the next byte "B" for financial transactions account number (may include imbedded spaces as represented on card) "^" character between PAN and next element cardholder name "^" character between Name and Additional Data YYMM code specifying acceptance and limitations elements defined by card brand for proprietary use (some of the PIN and Card Verification Values may be stored in this element)
|
From page 27... ...
GFI.com Whitepapers: http://www.gfi.com/whitepapers/ pci-dss-made-easy.pdf. IATA Payment Card Industry Data Security Standards.
|
From page 28... ...
Cardholder Data -- Primary account number plus the cardholder name, and/or card expiration date, and/or service code. Card Validation Code -- data element encoded within the magnetic stripe of a payment card, used to protect the integrity of the card data.
|
From page 29... ...
PA DSS -- payment application data security standard. PCI DSS -- payment card industry (PCI)
|
From page 32... ...
Transportation Research Board 500 Fifth Street, NW Washington, DC 20001 These digests are issued in order to increase awareness of research results emanating from projects in the Cooperative Research Programs (CRP)
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.