MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.

1

MARTA’s Road to PCI Compliance

Presenter:Yolanda Curtis, PMPAFC Project Manager

MARTA’s PCI Requirement• As an acceptor of payment cards, MARTA is

required to certify its Automated Fare Collection Payment Application to the PCI DSS requirements.

• MARTA is classified as a Level 2 merchant; processing more than 1 million credit transactions annually.

• PCI DSS certification requires a certified Fare Collection System including Payment Application software to be developed by the Fare Collection vendor. This software operates in the TVM, Ride Store TOM, and Fare Collection Central System.

2

AFC OverviewThe MARTA Automated Fare Collection system also known as Breeze entered revenue service in 2005. The system supports Regional operators including Cobb County, Gwinnett County, and Georgia Regional Transit Authority, and Atlanta Regional Commission databases. There are over 1 Million active Breeze cards system wide.

Light Validator

COMPONENT QTY

Automated Fare Gates 470

Automated Fare Boxes on Big buses 626

Light Validators on Para transit buses 175

Ticket Vending Machines 349

Ticket office machines 16

Automated parking gates 50

High Performance Encoding Machines 6

Money Room Facilities and Equipment 1

Central Computing System (1 Online, 1 Stand-by, 1 DR, 1 QA) 20

3

AFC PCI Project ScopeCentral System Improvements

• Improved credit card security management• More patron search capabilities

Database Security• Data at rest encryption higher security• Separated storage of credit card information

Ticket Vending Machine and Ticket Office Machine • Higher security PIN PAD for debit transactions• New internal computer• New Operating System (Window 7)

Remote Monitoring of all AFC Components• Anti-virus management• File Integrity Monitoring

Network Security• Access controls

4

MARTA AFC Team• Project Oversight• Remediation tasks• Application Support• Network & Server Support• Enterprise Security

Qualified Security Assessor (QSA)• Assessment• Gap Analysis• Compliance Roadmap• Report of Compliance

Merchant Bank• Manage PCI mandates on behalf of

VISA, MasterCard, American Express, Discover

Fare Collection Vendor• Software development• Hardware upgrades• PCI DSS certification of payment

applications software

AFC PCI Project Team

5

AFC PCI Project Timeline2008 - MARTA is deemed as a Level 2 Merchant

- Completed the PCI Data Security Standard Self-Assessment Questionnaire (SAQ) and quarterly scan results.

2009 - MARTA began the partnership with BOA and Fare Collection vendor to complete PCI requirements.

2010 - GAP Analysis completed by QSA- Attestation of Compliance sent to Merchant Bank- QSA provided Remediation Roadmap

2011 – MARTA issues Notice to Proceed to Fare Collection vendor to begin software development

- AFC system PCI Migration begins

2012 - AFC system PCI Migration completed- Attestation of Compliance completed - PCI Compliance obtained from Merchant Bank

6

PCI Project Migration – Phase 1

AFC Network Access Control

Build secure data network

Segment AFC Traffic from the

Enterprise Network traffic

Develop Information Security Team

Develop Information Security Policies

7

Phase 1: Network Access Control

TOM

Load Balancer

Non PCI Compliant

System

WebWeb

BVMBVM

BVM

DevicesDevices

Settlement

TOMTOM

Merchant Bank

Old Database

AFC Network

Restricted Rule Base

Internet

VLAN

EnterpriseNetwork

VLAN

8

PCI Project Migration – Phase 2

Central System Upgrade

Upgrade Servers (Production, Stand by, DR, and QA)

Migrate Central System software

Migrate Database

Migrate Web Ticketing

9

Phase 2: Central System Upgrade

TOM

Load Balancer

Non PCI Compliant

System

WebWeb

BVMBVM

BVM

DevicesDevices

SettlementSettlement

TOMTOM

Merchant Bank

Old Database

PCI Compliant

SystemUpgraded Database

Merchant Bank

ProductionProduction Stand-ByStand-By

DRDR QAQA

Server Farm10

PCI Project Migration – Phase 3

Payment Processing Device Upgrade

Replace TOM Hardware & Software including 3DES Pin Pad

Replace TVM Hardware & Software including 3DES Pin Pad

Deploy Anti-Virus software and File Integrity Monitoring process

to all components

Migrate TOM and TVM

11

Phase 3: Device Upgrade

TOM

Load Balancer

Non PCI Compliant

System

WebWeb

BVMBVM

BVM

BVM

BVM

DevicesDevices

DevicesDevices

Settlement

TOM

TOM

TOM

Merchant Bank

Old Database

Merchant Bank

Settlement

PCI Compliant

SystemUpgraded Database

12

Phase 3: Device Upgrade Complete

TOM

Load Balancer

Non PCI Compliant

System

WebWeb

BVM

BVM

BVM

BVM

DevicesDevices

Settlement

TOM

TOM

TOM

Old Database

Merchant Bank

Settlement

PCI Compliant

SystemUpgraded Database

Not Active

13

PCI Project Migration – Compliant

Final Report of Compliance to Merchant Bank

Review of Remediation Roadmap tasks

QSA Assessment of GAPS

QSA Vulnerability Scan

Report of Compliance

Attestation of Compliance

PCI DSS v2.0 Certificate of Compliance from

Merchant Bank

14

Thank You

15