Compass Environment PCI Assessment Proposal for San Diego MTS October 20, 2014 © 2014 AppliedTrust, All rights reserved. Confidential and Proprietary Page 1 Contract: G1500.2-13 Work Order Number: 2014-001 Work Order Title: Compass Environment PCI Assessment Work Order Date: October 20, 2014 Statement of Work This proposal is presented in response to discussions with San Diego Metropolitan Transit System (MTS) regarding the need to ensure that the organization’s newly acquired Compass environment meets the regulations of the Payment Card Industry Data Security Standard (PCI-DSS). MTS seeks assistance with performing an assessment of the organization’s PCI compliance and developing an understanding of any compliance gaps. AppliedTrust is ideally suited for this project because of our deep expertise with IT infrastructure and security, particularly our status as a PCI Qualified Security Assessor (QSA). AppliedTrust will: Deliverable Phase I: Compass Environment PCI Assessment Conduct a face-to-face or virtual kickoff meeting with MTS to review the overall project goals and details. Develop a project plan, complete with regular milestones, detailing schedule, tasks, and dependencies. Collect and evaluate evidence of control design effectiveness in meeting PCI-DSS for the Compass environment. Activities include: Reviewing the cardholder environment description to validate test samples. This will include all systems that collect, store, process, and transmit cardholder data. Reviewing each PCI-DSS requirement through interviews and observations. A limited set of re- performance tests may be conducted to validate controls that cannot be satisfied through interviews or prior testing. Perform OS-level examination of existing servers, including configuration, patch compliance, paths of trust, and vulnerability. Conduct a manual assessment of a representative sample of ticket kiosk systems. Review current network design in the context of PCI. Review data center physical security (physical access, monitoring, etc.). Review roles and access rights/permissions used to share information between systems. Capture and analyze network traffic samples, specifically examining protocols and applications in use and protocol configuration. Compare current Compass environment software, protocol, and system deployment against PCI recommended best practices. Examine all external connectivity, including modems and wide area network (WAN) connections such as T1 circuits, including upstream ISPs and connections to remote offices. Review remote access policy, architecture, and configuration, including levels of access for remote users. Evaluate database security architecture and controls. Perform comprehensive validation of network and remote access configurations, including firewalls, routers and switches, remote access servers, and other network devices; identify misconfigurations and security vulnerabilities.