Not yet. The SIG is moving very slowly. The only things I've seen so far are a
comprehensive problem statement communicated to the card brands and the council
and a conscious effort to get speakers from PCI council to speak at air travel
industry conferences. There's a serious lack of information here as many don't
fully understand how it all works together and the issues that are preventing
airlines from becoming compliant. It's a good start though. We've started
seeing PCI specific language in recent specification documents for common use
systems, but implementation of things like encryption for example becomes
somewhat problematic when a given common use system at a gate or ticket counter
may run any of 30 or so different virtualized payment applications depending on
the airline that need to be handed off to a multitude of different
geographically separated back end servers and payment processors.
Did you know a travel agent working from his home (or anywhere for that matter)
uses the airlines merchant code and the airline is responsible for ensuring
that home business is PCI compliant with regards to transactions made on their
behalf? Does anyone seriously think that is manageable? I don't.
What about airports that refuse to comply and require airline tenants to use
their shared tenant services infrastructure for voice and data under their
contractual agreements? What about international airports that would like to
cooperate if they even knew what PCI was but due to their geographic location
(3rd world) and the readily available technology compliance is a veritable
impossibility? And how do individual QSA's handle that situation? Seems to be
different every time (I think we are all familiar with QSA inconsistency issues
- my biggest gripe with PCI) and the airlines usually get hosed. Airport has no
contractual relationship with the bank so there's little incentive for them and
it's not like the airline can go to a competing airport in most cases unless
they are willing to accept the lost revenue from not servicing that market. If
the airlines are non-compliant, the airports are far far worse.
One thing that has been proposed to the Council is the concept of "PCI Ready"
which basically states that for everything under my control, it complies but I
do not guarantee that any other service providers I rely on are compliant as
well. There is no end to end compliance and this really opens a can of worms by
setting a dangerous precedent. I have not heard of any official response but if
it was not communicated within the SIG I don't know that I would have.
My personal preference, and I can't believe I'm even suggesting this, is to
forget about the concept of "PCI Ready" and require merchants to only use
registered and compliant service providers. At some point service providers
need to be held contractually accountable and unless it's mandated by the
Council or some sort of global agreement on behalf of the banks I don't see
individual merchants doing this in any consistent manner. The other thing that
could theoretically work is legislation mandating PCI (or similar) compliance
for any entity that stores processes or transmits CC data but I have zero faith
that such legislation will achieve the desired results due to the incompetence
or corruption of our lawmakers.
Does the air travel industry need to completely change their business model to
comply with PCI? Not likely. Compensating controls can certainly come into play
here but some gaps just can't be compensated for.
________________________________
From: David Freedman <[email protected]>
To: PaulDotCom Security Weekly Mailing List <[email protected]>
Sent: Tuesday, January 24, 2012 9:18 AM
Subject: Re: [Pauldotcom] CC numbers stored on planes
I love Robin's point about being concerned with the assessor's abilities to
explain why something is in scope and what is considered out of scope. We have
recently gone through our yearly PCI compliance 2.0 and there was a big debate
over what was in scope due to the differences between last 4 of a PAN and full
track data.
Tony - how did the SIG work out? Did it provide solid compensating controls
for the airlines? I mean this with honest curiosity as I think it is
interesting that there are some airlines that are not PCI compliant.
>
>On Tue, Jan 24, 2012 at 7:56 AM, Tony Turner <[email protected]> wrote:
>
>Many airlines are not PCI compliant. There are complexities to their business
>model with airports, common use platforms and travel agents that create
>significant difficulties. This was why we created an informal SIG for Air
>Travel PCI. Bottom line, don't assume.
>>
>>
>>
>>Sent from Yahoo! Mail on Android
>>
>>
>>
>>________________________________
>> From: Scott Rosenthal <[email protected]>;
>>To: PaulDotCom Security Weekly Mailing List <[email protected]>;
>>Subject: Re: [Pauldotcom] CC numbers stored on planes
>>Sent: Tue, Jan 24, 2012 12:42:11 PM
>>
>>
>>
>>Hi Robin, here in the states many if not all of the airlines are required to
>>be PCI compliant. That being said those devices should be considered in scope
>>by the company that is performing their assessment. If they are truly PCI
>>compliant, all of the credit card numbers stored on those devices should be
>>encrypted. I hope that helps.
>>
>>Scott
>>
>>
>>On Mon, Jan 23, 2012 at 10:13 PM, Robin Wood <[email protected]> wrote:
>>
>>I've been on quite a few planes where the duty free and the bar allow
>>>people to pay by credit card. I'd guess the data is stored and
>>>downloaded to be processed at the end of each flight, if so, that is a
>>>great target for card thieves. I wonder how many are actually properly
>>>protected?
>>>
>>>Robin
>>>_______________________________________________
>>>Pauldotcom mailing list
>>>[email protected]
>>>http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>>Main Web Site: http://pauldotcom.com/
>>>
>>
>
>_______________________________________________
>Pauldotcom mailing list
>[email protected]
>http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>Main Web Site: http://pauldotcom.com
>
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
