MARTA`s Road to PCI Compliance

Report
1
MARTA’s Road to PCI Compliance
Presenter:
Yolanda Curtis, PMP
AFC Project Manager
MARTA’s PCI Requirement
• As an acceptor of payment cards, MARTA is
required to certify its Automated Fare
Collection Payment Application to the PCI
DSS requirements.
• MARTA is classified as a Level 2 merchant;
processing more than 1 million credit
transactions annually.
• PCI DSS certification requires a certified
Fare Collection System including Payment
Application software to be developed by the
Fare Collection vendor. This software
operates in the TVM, Ride Store TOM, and
Fare Collection Central System.
2
AFC Overview
The MARTA Automated Fare Collection system also known as Breeze
entered revenue service in 2005. The system supports Regional
operators including Cobb County, Gwinnett County, and Georgia
Regional Transit Authority, and Atlanta Regional Commission databases.
There are over 1 Million active Breeze cards system wide.
COMPONENT
QTY
Automated Fare Gates
470
Automated Fare Boxes on Big buses
626
Light Validators on Para transit buses
175
Ticket Vending Machines
349
Ticket office machines
16
Automated parking gates
50
High Performance Encoding Machines
6
Money Room Facilities and Equipment
1
Central Computing System (1 Online, 1 Stand-by, 1 DR, 1 QA)
20
Light Validator
3
AFC PCI Project Scope
Central System Improvements
• Improved credit card security management
• More patron search capabilities
Database Security
• Data at rest encryption higher security
• Separated storage of credit card information
Ticket Vending Machine and Ticket Office Machine
• Higher security PIN PAD for debit transactions
• New internal computer
• New Operating System (Window 7)
Remote Monitoring of all AFC Components
• Anti-virus management
• File Integrity Monitoring
Network Security
• Access controls
4
AFC PCI Project Team
MARTA AFC Team
• Project Oversight
• Remediation tasks
• Application Support
• Network & Server Support
• Enterprise Security
Qualified Security Assessor (QSA)
• Assessment
• Gap Analysis
• Compliance Roadmap
• Report of Compliance
Merchant Bank
• Manage PCI mandates on behalf of
VISA, MasterCard, American
Express, Discover
Fare Collection Vendor
• Software development
• Hardware upgrades
• PCI DSS certification of payment
applications software
5
AFC PCI Project Timeline
2008
- MARTA is deemed as a Level 2 Merchant
- Completed the PCI Data Security Standard Self-Assessment
Questionnaire (SAQ) and quarterly scan results.
2009
- MARTA began the partnership with BOA and Fare Collection
vendor to complete PCI requirements.
2010
- GAP Analysis completed by QSA
- Attestation of Compliance sent to Merchant Bank
- QSA provided Remediation Roadmap
2011
– MARTA issues Notice to Proceed to Fare Collection vendor to
begin software development
- AFC system PCI Migration begins
2012
- AFC system PCI Migration completed
- Attestation of Compliance completed
- PCI Compliance obtained from Merchant Bank
6
PCI Project Migration – Phase 1
AFC Network Access Control
 Build secure data network
 Segment AFC Traffic from the
Enterprise Network traffic
 Develop Information Security Team
 Develop Information Security Policies
7
Phase 1: Network Access Control
AFC
Network
BVM
BVM
BVM
TOM
Enterprise
Network
TOM
Internet
TOM
Web
VLAN
Devices
Load
Balancer
VLAN
Merchant
Bank
Restricted
Rule Base
Non PCI
Compliant
System
Old
Database
Settlement
8
PCI Project Migration – Phase 2
Central System Upgrade
 Upgrade Servers (Production, Stand by, DR, and QA)
 Migrate Central System software
 Migrate Database
 Migrate Web Ticketing
9
Phase 2: Central System Upgrade
BVM
BVM
BVM
TOM
TOM
TOM
Web
Devices
Load
Balancer
Merchant
Bank
Non PCI
Compliant
System
PCI
Compliant
System
Old
Database
Upgraded
Database
Settlement
Settlement
Merchant
Bank
Production
Stand-By
DR
QA
Server Farm
10
PCI Project Migration – Phase 3
 Payment Processing Device Upgrade
 Replace TOM Hardware & Software including 3DES Pin Pad
 Replace TVM Hardware & Software including 3DES Pin Pad
 Deploy Anti-Virus software and File Integrity Monitoring process
to all components
 Migrate TOM and TVM
11
Phase 3: Device Upgrade
BVM
BVM
BVM
BVM
BVM
TOM
TOM
Devices
TOM
TOM
Devices
Web
Load
Balancer
Merchant
Bank
Non PCI
Compliant
System
Old
Database
Settlement
PCI
Compliant
System
Merchant
Bank
Upgraded
Database
Settlement
12
Phase 3: Device Upgrade Complete
BVM
BVM
BVM
BVM
TOM
TOM
Devices
TOM
TOM
Web
Load
Balancer
Non PCI
Compliant
System
Old
Database
Settlement
PCI
Compliant
System
Merchant
Bank
Upgraded
Database
Settlement
13
PCI Project Migration – Compliant
Final Report of Compliance to Merchant Bank
 Review of Remediation Roadmap tasks
 QSA Assessment of GAPS
 QSA Vulnerability Scan
 Report of Compliance
 Attestation of Compliance
 PCI DSS v2.0 Certificate of Compliance from
Merchant Bank
14
Thank You
15

similar documents