MARTA’s Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager
Mar 31, 2015
1
MARTA’s Road to PCI Compliance
Presenter:Yolanda Curtis, PMPAFC Project Manager
MARTA’s PCI Requirement• As an acceptor of payment cards, MARTA is
required to certify its Automated Fare Collection Payment Application to the PCI DSS requirements.
• MARTA is classified as a Level 2 merchant; processing more than 1 million credit transactions annually.
• PCI DSS certification requires a certified Fare Collection System including Payment Application software to be developed by the Fare Collection vendor. This software operates in the TVM, Ride Store TOM, and Fare Collection Central System.
2
AFC OverviewThe MARTA Automated Fare Collection system also known as Breeze entered revenue service in 2005. The system supports Regional operators including Cobb County, Gwinnett County, and Georgia Regional Transit Authority, and Atlanta Regional Commission databases. There are over 1 Million active Breeze cards system wide.
Light Validator
COMPONENT QTY
Automated Fare Gates 470
Automated Fare Boxes on Big buses 626
Light Validators on Para transit buses 175
Ticket Vending Machines 349
Ticket office machines 16
Automated parking gates 50
High Performance Encoding Machines 6
Money Room Facilities and Equipment 1
Central Computing System (1 Online, 1 Stand-by, 1 DR, 1 QA) 20
3
AFC PCI Project ScopeCentral System Improvements
• Improved credit card security management• More patron search capabilities
Database Security• Data at rest encryption higher security• Separated storage of credit card information
Ticket Vending Machine and Ticket Office Machine • Higher security PIN PAD for debit transactions• New internal computer• New Operating System (Window 7)
Remote Monitoring of all AFC Components• Anti-virus management• File Integrity Monitoring
Network Security• Access controls
4
MARTA AFC Team• Project Oversight• Remediation tasks• Application Support• Network & Server Support• Enterprise Security
Qualified Security Assessor (QSA)• Assessment• Gap Analysis• Compliance Roadmap• Report of Compliance
Merchant Bank• Manage PCI mandates on behalf of
VISA, MasterCard, American Express, Discover
Fare Collection Vendor• Software development• Hardware upgrades• PCI DSS certification of payment
applications software
AFC PCI Project Team
5
AFC PCI Project Timeline2008 - MARTA is deemed as a Level 2 Merchant
- Completed the PCI Data Security Standard Self-Assessment Questionnaire (SAQ) and quarterly scan results.
2009 - MARTA began the partnership with BOA and Fare Collection vendor to complete PCI requirements.
2010 - GAP Analysis completed by QSA- Attestation of Compliance sent to Merchant Bank- QSA provided Remediation Roadmap
2011 – MARTA issues Notice to Proceed to Fare Collection vendor to begin software development
- AFC system PCI Migration begins
2012 - AFC system PCI Migration completed- Attestation of Compliance completed - PCI Compliance obtained from Merchant Bank
6
PCI Project Migration – Phase 1
AFC Network Access Control
Build secure data network
Segment AFC Traffic from the
Enterprise Network traffic
Develop Information Security Team
Develop Information Security Policies
7
Phase 1: Network Access Control
TOM
Load Balancer
Non PCI Compliant
System
WebWeb
BVMBVM
BVM
DevicesDevices
Settlement
TOMTOM
Merchant Bank
Old Database
AFC Network
Restricted Rule Base
Internet
VLAN
EnterpriseNetwork
VLAN
8
PCI Project Migration – Phase 2
Central System Upgrade
Upgrade Servers (Production, Stand by, DR, and QA)
Migrate Central System software
Migrate Database
Migrate Web Ticketing
9
Phase 2: Central System Upgrade
TOM
Load Balancer
Non PCI Compliant
System
WebWeb
BVMBVM
BVM
DevicesDevices
SettlementSettlement
TOMTOM
Merchant Bank
Old Database
PCI Compliant
SystemUpgraded Database
Merchant Bank
ProductionProduction Stand-ByStand-By
DRDR QAQA
Server Farm10
PCI Project Migration – Phase 3
Payment Processing Device Upgrade
Replace TOM Hardware & Software including 3DES Pin Pad
Replace TVM Hardware & Software including 3DES Pin Pad
Deploy Anti-Virus software and File Integrity Monitoring process
to all components
Migrate TOM and TVM
11
Phase 3: Device Upgrade
TOM
Load Balancer
Non PCI Compliant
System
WebWeb
BVMBVM
BVM
BVM
BVM
DevicesDevices
DevicesDevices
Settlement
TOM
TOM
TOM
Merchant Bank
Old Database
Merchant Bank
Settlement
PCI Compliant
SystemUpgraded Database
12
Phase 3: Device Upgrade Complete
TOM
Load Balancer
Non PCI Compliant
System
WebWeb
BVM
BVM
BVM
BVM
DevicesDevices
Settlement
TOM
TOM
TOM
Old Database
Merchant Bank
Settlement
PCI Compliant
SystemUpgraded Database
Not Active
13
PCI Project Migration – Compliant
Final Report of Compliance to Merchant Bank
Review of Remediation Roadmap tasks
QSA Assessment of GAPS
QSA Vulnerability Scan
Report of Compliance
Attestation of Compliance
PCI DSS v2.0 Certificate of Compliance from
Merchant Bank
14
Thank You
15