PCI DSS compliance is a complicated process and for U.S. based international airports the complexity is even larger. This complexity is compounded with multiple different Card Holder Data Environments such as airline ticketing/baggage checking, concessions, access controls, ground transportation and the parking garage infrastructure. Because of this complexity, the Greater Orlando Aviation Authority (GOAA) decided to go with a methodical, phased approach with an experienced individual, Mr. David Kim (DK), Security Evolutions, Inc. (SEI) and now his QSA firm IT Professional Group, Inc. Mr. Kim led GOAA down this methodical approach such that critical business challenges could be identified and overcome with unique solutions along the way. This is why we worked closely with Mr. Kim and his PCI DSS gap remediation team.
Our approach consisted of the following 4-phases:
PCI DSS Feasibility Assessment: To Hold Card Holder Data (CHD) or Not? That is the Question? A GOAA-wide Merchant Level vs. Service Provider feasibility assessment was performed as an initial first step to assess if GOAA should comply with Merchant, Service Provider, or both requirements for PCI DSS SAQs. In this case GOAA must comply with both.
PCI DSS v3 Gap Analysis: Prior to actually performing the QSA audit, attestation, and report of compliance, GOAA knew it had gaps in its overall PCI DSS v3 compliance initiative. Thus, performing a PCI DSS v3 gap analysis was key to assess the depth and scope of the gap remediation effort.
PCI DSS v3 Gap Remediation: From the results of the PCI DSS v3 gap remediation effort, GOAA was able to identify those gaps, cost magnitude estimate the cost to remediate the gaps, and the work-effort required to implement new policies, standards, procedures, and guidelines as it pertains to PCI DSS v3 and a submitted report of compliance. Extensive gap remediation work was needed across the core 12 requirements of the SAQs.
With Mr. Kim’s PCI DSS gap remediation team, we were able remediate all our gaps in less than six months meeting every milestone and completing the PCI DSS v3 gap remediation and Service Provider compliance on time and under budget. This included, but was not limited to, revising existing policies and procedure, writing new policies, standards, procedures, and guidelines and implementing new layered security controls, etc.
PCI DSS v3 QSA Audit/ROC: Once GOAA’s gaps were remediated, we completed our Service Provider and Merchant Level SAQs and final QSA audit and final assessment. This effort will be completed in 2015 as part of GOAA’s PCI DSS v3 on-going PCI DSS v4 compliance life cycle.
4-Phased PCI DSS Compliance Life-Cycle
The following are quotes, testimonials, Q&A that can be used from Mr. Carlos Baez, Chief Security Officer, IT Security Manager GOAA/MCO Airport, e-mail: firstname.lastname@example.org.
Q: How did GOAA benefit from this methodical approach?
Mr. Carlos Baez:
GOAA like most international airports is a complex environment as it pertains to PCI DSS and credit card transaction processing. Airports have many points of entry for acceptance of credit cards for payment such as parking garage, employee access controls, ground transportation, concessions, airline ticketing, and baggage fee purchases, etc. Identifying and understanding all the business requirements and credit card points of entry was a critical first step in order to minimize Card Holder Data (CHD) within the Card Holder Data Environment. Segmentation and isolation was a critical first step in identifying the boundaries of Service Provider versus Merchant Level credit card processing and support for GOAA. This analysis was performed in the initial feasibility assessment study.
Q: Why did GOAA decide to do a high-level PCI DSS v3 gap analysis as a next step?
Mr. Carlos Baez:
GOAA as an organization was new to PCI DSS v3 compliance.
Thus, given the depth and breadth of the PCI DSS security control requirements, performing an initial gap analysis helped to identify where the gaps are and the cost magnitude to fill those gaps. This business case analysis was a critical step in GOAA’s decision to accept credit card payments for goods and services. The results of the PCI DSS v3 compliance gap analysis allowed GOAA to prioritize the gaps, identify CAPEX and OPEX funding to support the gaps, and immediately remediate as part of a project timeline that converged towards a summer, 2014 launch of credit card transaction processing GOAA-wide.
Mr. Kim’s PCI DSS gap remediation team put together a 6-month gap remediation implementation plan along with key project milestones for documentation and testing as per PCI DSS v3 compliance requirements. This was performed on time and under budget providing GOAA with an on-time launch of acceptance of credit card transaction processing airport-wide.
Q: Would you recommend Mr. Kim and ITPG for future PCI DSS v3 compliance work or QSA assessments?
Mr. Carlos Baez:
Yes. Specifically for complex environments or non-complex environments. Mr. Kim’s approach for finding the path of least resistance that achieves the business goals and objectives or your organization from a PCI DSS v3 compliance and electronic payment process perspective is the best that I have experienced. Mr. Kim’s/ITPG’s ability to provide strategic solutions and tactical gap remediation assistance in and around PCI DSS v3 compliance was exactly what GOAA needed. We are not only PCI DSS v3 compliant, but we are continuing to expand electronic payment processing airport-wide. I would recommend Mr. .Kim/ITPG for any PCI DSS v3 compliance professional services.