By: Andrew Baxter, Security and Compliance Manager
Originally published in Parking & Mobility, July 2020.
As technology has become a bigger part of our everyday lives, data security has quickly become one of the most significant issues of our time. With the growth of social media, increased use of cloud storage, the rise of alternative payment platforms and options, and more—all conducted with a device we carry in our pockets—companies and organizations need to ensure their systems are secure and their customers’ data is protected. That includes parking operations. The rise in alternative payment options has been a major advancement. Gone are the days of simply feeding quarters into a meter; in many places, patrons can pay with credit cards, EMV options such as Apple Pay or Google Pay, or an app. While they’re convenient for customers, these payment options can be vulnerable to skimmers or hackers. Additionally, as more operations implement parking management software and data analytics tools, there is greater risk for security breaches on computers or servers.
The Importance of Secure Systems
One of the most important reasons to maintain secure systems is to protect your organization’s reputation. We are all familiar with some of the large data breaches that have made the news, and nobody wants to be the next headline. Additionally, an operation wants to ensure that customers can trust it with their personal information, whether they are paying for parking in a garage or lot, using a meter for on-street parking, purchasing a permit, or paying a citation. There is also significant financial risk that comes from a data breach. If an organization is found liable, it may be on the hook for whatever cost it takes to remedy the situation. There also may be some loss of business due to the harm done to the organization’s reputation. Having secure systems frees up internal resources. The more secure an organization’s systems are, the less likely it is to have security issues. This allows staff to focus on more important issues rather than incident response, and enables them to continue to develop and improve security measures and invest in enhancing systems.
Maintaining PCI Compliance
Cardholder data will likely be the largest priority for a parking operation, and there is a global standard that all parking operations should follow. Developed by the Payment Card Industry (PCI) Security Standards Council, the PCI Data Security Standard (PCI DSS) “set[s] the technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.” Below is a summary of the goals and requirements for PCI DSS.
PCI compliance is a continuous, three-step process.
- Assess. Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
- Remediate. Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
- Report. Compiling and submitting required reports to the appropriate acquiring bank and card brands.
A parking operation falls under the merchant side of PCI DSS. For merchants, there are four levels of compliance based on the number of credit card transactions processed per year. While the PCI DSS is the same at each level, the requirements for reporting of compliance varies, becoming more comprehensive as the number of transactions increases.
The four levels and the requirements for each are
Level 4. Less than 20,000 credit card transactions per year
For relatively small merchants in this category, the reporting requirements for PCI are determined by your acquiring bank. They are typically similar to the level 3 requirements.
Level 3. 20,000–1 million credit card transactions per year
At level 3, an organization is required to complete an annual selfassessment questionnaire, as well as conduct quarterly vulnerability scans of its network. These scans must be conducted by an approved scanning vendor (ASV), a PCI-approved organization that uses data security services and tools to check compliance with the PCI DSS external scanning requirements. A list of ASVs can be found on the PCI Security Standards Council website.
Level 2. 1–6 million credit card transactions per year
Level 2 requirements are largely the same as level 3, with the difference being that the annual self-assessment questionnaire must be filled out by an employee that has completed an Internal Security Assessor course, or by an external qualified security assessor (QSA).
Level 1. More than 6 million credit card transactions per year
Organizations that fall under level 1 must have a report on compliance completed annually by an independent QSA. The report is a formal audit covering the entire organization, making it more comprehensive than the self-assessment questionnaire.
Risk
Risk is a significant component of maintaining secure systems and achieving PCI compliance, and education and security awareness are essential to doing so. Educated staff are the first line of defense against data breaches, as encryption, antivirus software, and firewalls can only do so much. Because of this, PCI requires security awareness training for staff that covers common information security best practices, such as how to identify phishing emails and password best practices. It is also important to keep employees abreast of the latest social engineering tactics that hackers are using, such as voice simulation and impersonation. This training can be developed in house or conducted by a third party.
It is also important that all systems throughout an organization are kept up to date, whether they are used by staff or customers. Security software, such as antivirus, should be updated regularly as new signatures are released several times each day. To maintain PCI compliance, all software and underlying operating systems must have routine patches applied on at least a quarterly basis. Critical security updates should be installed within 30 days. It is important for staff in an organization to keep informed on available updates for software and operating systems. This can be done by subscribing to vendor email alerts or monitoring web forums.
From a parking perspective, implementing PARCS or pay station solutions with point-to-point encryption (P2PE) is a great way to reduce risk while making PCI-DSS compliance much simpler. With P2PE, credit card data is immediately encrypted by the card reader upon insertion of a card, and it can’t be decrypted anywhere outside the processor’s environment. Card data never touches the customer or vendor network—only the processors can read the card data.
Regular physical inspection of parking equipment for skimmers is also essential to minimizing risk. Even P2PE card readers can potentially be breached by a skimmer, with unattended kiosk equipment being particularly vulnerable. An operation should ensure that the person conducting the inspection knows what they are looking for, and if they do find something, leadership should do whatever they can to track down the source of the skimmer.
Planning for Emergencies
A vital part of PCI compliance is having an incident response plan in place to deal with a potential security breach. The key elements of an incident response plan include:
- Defining roles and assigning them to specific people.
-
Laying out teams to manage different aspects of the response plan.
-
Providing contact information for all persons involved.
-
Providing contact information for key vendors, law enforcement, and card brand breach hotlines.
-
A template of steps to follow for certain scenarios that are generic enough to apply to any incident.
-
Training staff and testing the plan on at least an annual basis.
It is crucial to not just have a template in place to work from, but also to include both known and unknown scenarios. The last thing an organization wants to do is be scrambling to figure out what to do in the middle of an incident. The more that is pre-defined in the response plan, the easier it will be to respond to and remedy the incident.
The technology boom of the 21st century has brought many new challenges to our world. Data security is one that has impacted nearly every industry and organization, including parking. To combat the increased threat of data breaches, parking operations need to prioritize maintaining secure systems, especially with regard to credit card data.
Maintaining PCI compliance should be the first step a parking operation takes, aligning it with the latest global standards on processing transactions and building trust with its customers. Two major pieces of maintaining PCI DSS are risk and planning for emergencies. It is imperative for a parking organization to educate staff, maintain secure systems, and have a plan ready if an incident does occur. When you have these things in place, you can rest a little easier.