Presentation is loading. Please wait.

Presentation is loading. Please wait.

MARTA’s Road to PCI Compliance

Published byJorge Vieira Carlos Modified over 5 years ago

Similar presentations

Presentation on theme: "MARTA’s Road to PCI Compliance"— Presentation transcript:

1 MARTA’s Road to PCI Compliance
Introduction: Thank Regan Introduce Self Introduce MARTA Formed in 1971 as a bus system. MARTA operates a network of bus routes linked to a rapid transit system consisting of 48 miles of rail track with 38 train stations. Presenter: Yolanda Curtis, PMP AFC Project Manager

2 MARTA’s PCI Requirement
As an acceptor of payment cards, MARTA is required to certify its Automated Fare Collection Payment Application to the PCI DSS requirements. MARTA is classified as a Level 2 merchant; processing more than 1 million credit transactions annually. PCI DSS certification requires a certified Fare Collection System including Payment Application software to be developed by the Fare Collection vendor. This software operates in the TVM, Ride Store TOM, and Fare Collection Central System. MARTA’s PCI Requirement: More than 95% of MARTA patrons use major credit/debit cards to purchase Breeze products. Based on the annual credit/debit card transactions processed by Breeze, MARTA is classified as a Level 2 merchant Level 2 Merchants process more than 1 million transaction annually Our merchant bank mandated we certify our Breeze system for PCI DSS v2.0 compliance. The certification required an upgraded Payment Application, TVM, TOM and Central System software.

3 AFC Overview The MARTA Automated Fare Collection system also known as Breeze entered revenue service in The system supports Regional operators including Cobb County, Gwinnett County, and Georgia Regional Transit Authority, and Atlanta Regional Commission databases. There are over 1 Million active Breeze cards system wide. COMPONENT QTY Automated Fare Gates 470 Automated Fare Boxes on Big buses 626 Light Validators on Para transit buses 175 Ticket Vending Machines 349 Ticket office machines 16 Automated parking gates 50 High Performance Encoding Machines 6 Money Room Facilities and Equipment 1 Central Computing System (1 Online, 1 Stand-by, 1 DR, 1 QA) 20 AFC Overview: AFC system is called Breeze, installed in 2005 System supports 3 Regional Operators Over 1 million active Breeze cards in the system Read Component #’s

4 AFC PCI Project Scope Central System Improvements
Improved credit card security management More patron search capabilities Database Security Data at rest encryption higher security Separated storage of credit card information Ticket Vending Machine and Ticket Office Machine Higher security PIN PAD for debit transactions New internal computer New Operating System (Window 7) Remote Monitoring of all AFC Components Anti-virus management File Integrity Monitoring Network Security Access controls AFC PCI Project Scope: The PCI Project scope was to implement Hardware, Software Modifications and Security Policies to ensure our Breeze system is compliant with PCI DSS version 2.0 regulation. Our implementation upgraded the Central System…read sub bullets, enhance the Database security..read sub bullets, upgraded the TVM and TOM hardware, added remote monitoring capabilities and increased Network Security.

5 AFC PCI Project Team MARTA AFC Team Project Oversight
Remediation tasks Application Support Network & Server Support Enterprise Security Qualified Security Assessor (QSA) Assessment Gap Analysis Compliance Roadmap Report of Compliance Merchant Bank Manage PCI mandates on behalf of VISA, MasterCard, American Express, Discover Fare Collection Vendor Software development Hardware upgrades PCI DSS certification of payment applications software PCI Project Team: The team comprised of the MARTA AFC Team, QSA, Merchant Bank and our Fare Collection vendor. Each entity played an important role in the success of the project. The QSA Performed an Assessment to identify areas of non compliance, they provided a GAP analysis which we used as the Roadmap or Strategy for Remediation, after Remediation was complete they provided the Report of Compliance to the Merchant Bank The AFC Team Responsible for completing the tasks in the Roadmap of Strategy for Remediation The Merchant Bank Responsible for managing our Level 2 compliance expectations and communicating our project progress to the Card Organizations The Fare Collection Vendor Responsible for the software development of the Payment Application and upgrades to the TVM and TOMs

6 AFC PCI Project Timeline
2008 - MARTA is deemed as a Level 2 Merchant - Completed the PCI Data Security Standard Self-Assessment Questionnaire (SAQ) and quarterly scan results. 2009 - MARTA began the partnership with BOA and Fare Collection vendor to complete PCI requirements. 2010 - GAP Analysis completed by QSA - Attestation of Compliance sent to Merchant Bank - QSA provided Remediation Roadmap 2011 – MARTA issues Notice to Proceed to Fare Collection vendor to begin software development - AFC system PCI Migration begins 2012 - AFC system PCI Migration completed - Attestation of Compliance completed - PCI Compliance obtained from Merchant Bank PCI Project Timeline: 2008 MARTA received notification from its Merchant Bank stating our Merchant Status had been updated to a Level 2 2009 MARTA initiated the efforts to start the PCI Remediation project steps. We involved the Merchant Bank and the Fare Collection vendor to discuss options for upgrading the existing system. 2010 MARTA engaged a QSA to assist in performing an assessment of the environment and providing a remediation plan for PCI compliance. We worked with the project team entities to ensure all areas of responsibility could be addressed in the upgrade. 2011 MARTA officially began the upgrade efforts for the existing Breeze system 2012 MARTA completed the PCI upgrade project and received the Certificate of Compliance from the Merchant Bank

7 PCI Project Migration – Phase 1
AFC Network Access Control Build secure data network Segment AFC Traffic from the Enterprise Network traffic Develop Information Security Team Develop Information Security Policies PCI Migration – Phase 1 Started in 2011 Focus was on the Network Access Control Goal was to provide a secure network for all AFC credit/debit transaction traffic and to eliminate unnecessary access to the network Some activities: Firewall rule clean up, Access Lists on Switches, VLAN configuration

8 Phase 1: Network Access Control
TOM Load Balancer Non PCI Compliant System Web BVM Devices Settlement Merchant Bank Old Database AFC Network Enterprise Network Internet VLAN Restricted Rule Base VLAN PCI Migration – Phase 1 Discuss diagram

9 PCI Project Migration – Phase 2
Central System Upgrade Upgrade Servers (Production, Stand by, DR, and QA) Migrate Central System software Migrate Database Migrate Web Ticketing PCI Migration – Phase 2 Focus was on the Central System Upgrade Goal was to .. Some activities: ..

10 Phase 2: Central System Upgrade
TOM TOM BVM TOM BVM BVM Web Devices Load Balancer Merchant Bank Merchant Bank Non PCI Compliant System PCI Compliant System Old Database Upgraded Database Settlement Settlement Production Stand-By DR QA Server Farm

11 PCI Project Migration – Phase 3
Payment Processing Device Upgrade Replace TOM Hardware & Software including 3DES Pin Pad Replace TVM Hardware & Software including 3DES Pin Pad Deploy Anti-Virus software and File Integrity Monitoring process to all components Migrate TOM and TVM PCI Migration – Phase 3 Focus was on the Device Upgrade Goal was to .. Some activities: ..

12 Phase 3: Device Upgrade Load Balancer Non PCI PCI Compliant Compliant
TOM Load Balancer Non PCI Compliant System Web BVM Devices Settlement Merchant Bank Old Database PCI Compliant System Upgraded Database Settlement

13 Phase 3: Device Upgrade Complete
TOM Load Balancer Non PCI Compliant System Web BVM Devices Settlement Old Database Merchant Bank Not Active PCI Compliant System Upgraded Database Settlement

14 PCI Project Migration – Compliant
Final Report of Compliance to Merchant Bank Review of Remediation Roadmap tasks QSA Assessment of GAPS QSA Vulnerability Scan Report of Compliance Attestation of Compliance PCI DSS v2.0 Certificate of Compliance from Merchant Bank PCI Migration – Complete Focus was on the QSA assessment Goal was to .. Some activities: ..

15 Thank You

Download ppt "MARTA’s Road to PCI Compliance"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.

MARTAs Road to PCI Compliance 1 Presenter: Yolanda Curtis, PMP AFC Project Manager.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
This refresher course will:

This refresher course will:
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Smart Payment Processing ™ 800-846-4472 www.MercuryPay.com Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.

Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
Talking Technology and Transportation (T3)

Talking Technology and Transportation (T3)
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Credit / Debit Card Electronic Payments Industry Update on Convenience Fees, Utility Program and More! Presented by: Presented by: Michael Hodge, Regional.

Credit / Debit Card Electronic Payments Industry Update on Convenience Fees, Utility Program and More! Presented by: Presented by: Michael Hodge, Regional.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Similar presentations

Ads by Google