Assess. Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
Remediate. Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
Report. Compiling and submitting required reports to the appropriate acquiring bank and card brands.
A parking operation falls under the merchant side of PCI DSS. For merchants, there are four levels of compliance based on the number of credit card transactions processed per year. While the PCI DSS is the same at each level, the requirements for reporting of compliance varies, becoming more comprehensive as the number of transactions increases.
The four levels and the requirements for each are
Level 4. Less than 20,000 credit card transactions per year
For relatively small merchants in this category, the reporting requirements for PCI are determined by your acquiring bank. They are typically similar to the level 3 requirements.
Level 3. 20,000–1 million credit card transactions per year
At level 3, an organization is required to complete an annual selfassessment questionnaire, as well as conduct quarterly vulnerability scans of its network. These scans must be conducted by an approved scanning vendor (ASV), a PCI-approved organization that uses data security services and tools to check compliance with the PCI DSS external scanning requirements. A list of ASVs can be found on the PCI Security Standards Council website.
Level 2. 1–6 million credit card transactions per year
Level 2 requirements are largely the same as level 3, with the difference being that the annual self-assessment questionnaire must be filled out by an employee that has completed an Internal Security Assessor course, or by an external qualified security assessor (QSA).
Level 1. More than 6 million credit card transactions per year
Organizations that fall under level 1 must have a report on compliance completed annually by an independent QSA. The report is a formal audit covering the entire organization, making it more comprehensive than the self-assessment questionnaire.
Risk is a significant component of maintaining secure systems and achieving PCI compliance, and education and security awareness are essential to doing so. Educated staff are the first line of defense against data breaches, as encryption, antivirus software, and firewalls can only do so much. Because of this, PCI requires security awareness training for staff that covers common information security best practices, such as how to identify phishing emails and password best practices. It is also important to keep employees abreast of the latest social engineering tactics that hackers are using, such as voice simulation and impersonation. This training can be developed in house or conducted by a third party.
It is also important that all systems throughout an organization are kept up to date, whether they are used by staff or customers. Security software, such as antivirus, should be updated regularly as new signatures are released several times each day. To maintain PCI compliance, all software and underlying operating systems must have routine patches applied on at least a quarterly basis. Critical security updates should be installed within 30 days. It is important for staff in an organization to keep informed on available updates for software and operating systems. This can be done by subscribing to vendor email alerts or monitoring web forums.
From a parking perspective, implementing PARCS or pay station solutions with point-to-point encryption (P2PE) is a great way to reduce risk while making PCI-DSS compliance much simpler. With P2PE, credit card data is immediately encrypted by the card reader upon insertion of a card, and it can’t be decrypted anywhere outside the processor’s environment. Card data never touches the customer or vendor network—only the processors can read the card data.
Regular physical inspection of parking equipment for skimmers is also essential to minimizing risk. Even P2PE card readers can potentially be breached by a skimmer, with unattended kiosk equipment being particularly vulnerable. An operation should ensure that the person conducting the inspection knows what they are looking for, and if they do find something, leadership should do whatever they can to track down the source of the skimmer.
Planning for Emergencies
A vital part of PCI compliance is having an incident response plan in place to deal with a potential security breach. The key elements of an incident response plan include:
- Defining roles and assigning them to specific people.
Laying out teams to manage different aspects of the response plan.
Providing contact information for all persons involved.
Providing contact information for key vendors, law enforcement, and card brand breach hotlines.
A template of steps to follow for certain scenarios that are generic enough to apply to any incident.
Training staff and testing the plan on at least an annual basis.
It is crucial to not just have a template in place to work from, but also to include both known and unknown scenarios. The last thing an organization wants to do is be scrambling to figure out what to do in the middle of an incident. The more that is pre-defined in the response plan, the easier it will be to respond to and remedy the incident.
The technology boom of the 21st century has brought many new challenges to our world. Data security is one that has impacted nearly every industry and organization, including parking. To combat the increased threat of data breaches, parking operations need to prioritize maintaining secure systems, especially with regard to credit card data.
Maintaining PCI compliance should be the first step a parking operation takes, aligning it with the latest global standards on processing transactions and building trust with its customers. Two major pieces of maintaining PCI DSS are risk and planning for emergencies. It is imperative for a parking organization to educate staff, maintain secure systems, and have a plan ready if an incident does occur. When you have these things in place, you can rest a little easier.
Andrew Baxter is the Security and Compliance Manager at T2 Systems. Learn more about T2’s innovative and reliable parking technology solutions at t2systems.com.