PCI Compliance & Parking: A Comprehensive Look
November, 2020
Have you used your credit or debit card at all today? In the past week? Ever? If you’ve ever used a card to make any type of purchase, you have been on the consumer side of Payment Card Industry (PCI) compliance. This compliance is what prevents your data from being misused or recklessly stored.
For PCI compliant organizations, and for the digital space in general, data encryption is now a way of life.
All businesses have a responsibility to their customers to ensure that all sensitive card data is safe and secure, and while the Retail industry may be top of mind when thinking about data security and card payments–– being compliant with PCI Data Security Standards (DSS) is crucial across many industries, including parking.
Meeting these standards is one of the most critical elements of parking management. That being said, PCI compliance is a complex subject and often misunderstood. In turn, this means that many organizations fall behind on compliance and consequently experience large data breaches over long periods of time.
What is PCI Compliance?
Before we delve further into this topic, there are a couple important terms to know. When an organization talks about PCI compliance, what is typically being referred to is PCI DSS compliance –– or rather, compliance with the Data Security Standards which have been laid out by the PCI Security Standards Council (SSC).
The PCI SSC was founded in 2006 by the leading providers in the payment card industry: American Express, Discover, JCB International, MasterCard and Visa Inc. The PCI SSC’s main mission is to enhance global payment account security. They do this by increasing industry participation and knowledge, creating a set of security standards, securing emerging channels, and by increasing consistency and alignment around these standards.
PCI compliance & the law: Am I under legal obligation to be compliant?
The short answer here is ‘no’. Being compliant with PCI standards is not a legal obligation per se. The PCI SSC is a private alliance, rather than a public regulatory entity. However, while PCI DSS compliance is not in itself a legal requirement in the United States, Canada or in the United Kingdom (UK), it is considered best practice to treat it as such. Failure to comply with the PCI
If being compliant isn’t in itself a legal mandate, what happens if an organization remains non-compliant?
If a data breach occurs due to non-compliance, the PCI SSC issues a heavy fine to your bank. Typically, the bank will pass this fine onto the business at fault. This fine can range from $5,000 to $100,000 for every month of non-compliance. Additionally, the bank could terminate their relationship with the business, or heavily increase your transaction fees as they recalibrate risk tolerance.
Organizations are failing at PCI compliance
Unfortunately, PCI compliance is now alarmingly low. After dropping for the second year in a row, global compliance is now only 36.7 percent. This is concerning for a few reasons, however Rodolphe Simonetti, global Managing Director at Verizon states it best:
“After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences. For years, we have discussed the close correlation between the lack of PCI DSS compliance and cyber breaches. Our data shows that we have never investigated a payment card security data breach for a PCI DSS-compliant organization. Compliance works.”
These are the more specific areas where businesses commonly fail with regards to PCI compliance:
Weak or unsafe passwords:
Password security is one of the most basic tenets of PCI compliance and overall data security. In order to comply with PCI DSS, companies must avoid use of “vendor-supplied defaults for system passwords and other security parameters.”
Insufficient internal reporting/tracking:
It’s imperative for organizations to track activity inside the networks that hold their user data to ensure that everything is secure. Fortunately, for smaller organizations, this is fairly straightforward. On the other hand, larger organizations, or those that must hold large amounts of sensitive payment card and user data––this can be a major, budget-commanding task.
Failing to properly segment networks:
Many organizations will create just one segment in their network for ‘PCI Only’ data. However, housing all of your PCI data in one segment is ill-advised, and a big contributor to failed compliance. A strongly-protected network is one that has branches (or segments) for each category of PCI user data. With this data segregation, it is far more difficult to obtain and connect data fragments in the event of a breach.
Lazy encryption & loosely guarded decryption keys:
For PCI compliant organizations, and for the digital space in general, data encryption is now a way of life. Unfortunately, for those who have failed to maintain compliance, this is not the case. One major reason for these failures and data breaches is simply poor or substandard encryption of PCI and user data, which includes Personally Identifiable Information (PII).
PII itself has a large scope and is only partially covered by PCI DSS. Regarding PII in relation to PCI, there are two relevant elements: cardholder data, and sensitive authentication data. This includes the user’s permanent account number (PAN), card numbers, PINs, and cardholder name, to list a few.
Inadequate encryption is often due to this data spending much of its life moving between systems. However, it is for that reason that data must be sufficiently encrypted from end-to-end.
Additionally, decryption keys and passwords must be guarded with the same strength as the encryption itself. This is another area where companies are falling short.
What does PCI Compliance mean for Parking?
As the parking industry shifts away from cash and coin to digital card payments, it is more important than ever to ensure compliance. Because many drivers do not have much of a choice in where they can park or how they can pay parking fines, the sector is on the hook to ensure that these data standards are upheld by those across the industry: private parking companies, universities, and municipalities.
Steps to PCI Compliance:
Becoming compliant with PCI DSS is reasonably straightforward, yet not simple. The process toward compliance needs to be maintained and watched with a close eye.
According to PCI Security Standards Council, the following steps should be taken to achieve PCI compliance:
Build and maintain a secure network
1- Install and maintain a firewall configuration to protect cardholder data
2- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
• Use and regularly update anti-virus software or programs
• Develop and maintain secure systems and applications
Implement Strong Access Control Measures
• Restrict access to cardholder data by business to need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
Regularly Monitor and Test Networks
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
Maintain an Information Security Policy
Maintain a policy that addresses information security for employees and contractors
Along with this, there is a PCI three-step cyclical process, with focus on maintaining this security:
Assess Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
1- Remediate Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
2- Report Compiling and submitting required reports to the appropriate acquiring bank and card brands.
3- Repeat this for the lifetime of your organization.
How to Set Your PCI Compliance in Motion:
Fair warning: the road to PCI compliance is a long one. Fortunately, there are options for municipalities to become PCI compliant, without any of the hassle or worries that come with doing it yourself.
Mitigate Your Risk
PCI compliance is a high-stakes endeavor and mitigating risk requires wholesale commitment. This includes extensive education and training of staff at all points of contact, including (but not limited to) ensuring that your staff is up-to-date on security best practices and the latest social engineering tactics currently being used.
What to do if a breach occurs
Even though a data breach is probably the last thing you want to think about happening to your organization, it is imperative that you are sufficiently prepared. According to the PCI SSC, this is what you must do in order to prepare for a data breach:
Implement a response plan and test it annually, at a minimum. The PCI DSS 12.10 requires that organizations must “implement an incident response plan. Be prepared to respond immediately to a system breach.” This should be a thorough plan that is frequently tested to ensure that it works as designed.
Limit data exposure and minimize data loss, while still preserving evidence. This isn’t as simple as just shutting your systems down, and is complicated to do correctly. As such, it’s imperative that there is a proper process in place to ensure this happens the right way.
Understand notification requirements and be prepared to notify all pertinent parties. The ability to act quickly upon recognizing a breach is crucial. You must be prepared to notify all parties that require notification immediately. These entities may include, but are not limited to, payment card brands and merchant banks.
Manage third-contracts by ensuring that “all contracts with third-party service providers, hosting providers, integrators/resellers, and other relevant parties address incident-response management sufficiently. Contracts should include specific provisions on how evidence from those environments will be accessed and reviewed, such as allowing your Payment Card Industry Forensic Investigator (PFI) access to the environments.
Contracts should include provisions to require the third party’s cooperation and allow a PFI to broaden the investigative scope to the third party if the third party is found to be the source of (or contributed to) an event that impacted cardholder data security.”
Think About Your Software
Thankfully, if a breach occurs, any good technology vendor would already be abreast of the situation, and have infrastructure in place to minimize the impact or entirely block attempts to damage the integrity of the system. It’s easy to see why the PCI SSC recommends the purchase and use of hardware and software that is already PCI compliant.
By using a vetted and properly assessed third party software, municipalities and organizations can become compliant and maintain these standards easily and without dedicating massive expenditures towards in-house manpower and resources.
Final Thoughts on PCI Compliance
With technology evolving rapidly each day, and online payments becoming not only standardized but expected, it is an imperative that those across the parking sector do not shortchange PCI compliance.
However, getting to and maintaining PCI compliance isn’t easy. You must constantly assess and rework your systems and networks in order to sustain compliance. In addition, the larger the system, the more complicated it becomes. While it is a complex matter, complexity cannot be a reason for failure to comply with PCI DSS.
By failing to meet PCI standards, a municipality can put its entire city at risk. The best option for both the city and its citizens, is to use software and hardware from organizations that are already compliant with PCI standards. That way, it is ensured that the PCI DSS guidelines are being met, without having to ‘do it yourself’.
Marc-Andre Chartrand is VP, Professional Services & Products, gtechna. He can be reached at Marc-Andre.Chartrand@gtechna.com
