Reducing your exposure to PCI Compliance by Inventive IT

With heavy penalties from banks for businesses operating outside of compliance and with consumers becoming more and more aware of the standard with each passing month, it is no longer possible to simply ignore the necessary evil that is PCI Compliance. Does your business really need to be storing, processing or transmitting payment cardholder information?

How does PCI DSS affect Airport car park operators?

There are various touch points that expose any car park operator to PCI DSS. The introduction of a pre booking system increases exposure to PCI compliance and its essential that during the implementation of any pre booking system that this risk is fully understood. Many of the available pre booking systems were developed prior to this standard being developed and hence can increase an operators exposure to PCI considerably.

Where is a car park operator exposed to PCI DSS?

Anywhere payment card information is collected, stored or transmitted is an area where your business is exposed to PCI DSS compliance. For a typical car park operator this might include but not be limited to:
- Entry / Exit equipment
- Network Infrastructure
- Pre Booking System
- Mobile Application(s)
- 3rd Party Sales Channel(s)
- IT Team Processes
- Operations teams

What are the considerations when establishing your exposure to PCI DSS compliance?

Does the entry / exit equipment use full PAN (16 or 17 digits) credit card numbers for customer entry validation? If so, how is the data transmitted to the equipment? There are some complex rules surrounding network security to comply with PCI DSS if full PAN numbers are being used to validate pre book customers on entry to the car park.
How is the credit card PAN stored in the pre booking system? If full PAN data is stored within the pre booking system the system setup has some very complex rules associated with storage and encryptionthat must be adhered to. Where am I capturing the full card data during the customer booking journey? Its essential that web pages capturing card data adhere to the PCI DSS rules for storage and transmission of credit card data. SSL Encryption is not enough protection to satisfy the requirement(s).
How is my development team, or the development team of my software vendor managing change? A large part of the PCI compliance standard is ensuring that relevant security standards are met regarding software development and change management. This can become an over bearing and costly exercise. Physically where is the data? Do you know where the card holder information is stored? Where are your data backups located and how are they transmitted? Strict regulation of how data is stored can be very difficult to meet in an environment that has not been designed specifically for PCI compliance. Who can access card holder information and how is this access recorded? If it is not fully documented each time a user of the system accesses card holder information then you are not currently PCI Compliant. This is just one of many requirements under the topic of access control.

How much does PCI Compliance cost?

Depending on the size and complexity of your operation achieving PCI Compliance can be a very expensive project. At the very least you will need to appoint a QSA (Qualified Security Assessor) to perform an audit on the areas of your business in scope of PCI Compliance. The reach of compliance is vast and when undergoing a project to achieve the standard you will be surprised to discover how it will change the way your business operates in a fundamental way. According to a report published in March 2010, the largest merchants (known as tier 1 merchants) are paying an average of $225,000 annually for audits alone.

Is there an alternative to compliance?

Yes. As described within this document, the real purpose of the standard is to put a stop where possible to businesses processing, storing and transmitting card holder information. Because previously there has been little to no regulation of these processes, businesses have built their systems to rely on the availability of this data as way of uniquely identifying a customer. To reduce costs and simplify the overall process it is wise to reduce the scope of PCI DSS within your organisation.

Removal or Reduction of Scope

By implementing the following functionality into your pre booking process you can significantly reduce your exposure to PCI compliance.
- Ensure that a fully PCI DSS compliant payment processor handles all credit card payments.
- Do not store full payment card PANs outside of the accredited payment processing solution.
- Use an alternative to full payment card PANs for customer car park entry verification, such as
automatic number plate recognition (ANPR), bar codes or partial payment card PANs.
- You can still use the first 6 and last 4 characters of the PAN for car park entry verification. This
ensures that network connectivity to the barrier equipment remains outside of scope. The card
readers in the barrier equipment must still adhere to PCI DSS.

Inventive IT has a proven track record of working with airport operators to ensure their PCI compliance. If you are interesting in discussing how the team can help you to reduce your exposure to PCI DSS please get in touch. For more information please go on http://dl.dropbox.com/u/2153974/PCIComplianceArticle.pdf