Re: CC numbers stored on planes

[Tony Turner <tony_l_turner () yahoo com>]

Not yet. The SIG is moving very slowly. The only things I've seen so far are a comprehensive problem statement 
communicated to the card brands and the council and a conscious effort to get speakers from PCI council to speak at air 
travel industry conferences. There's a serious lack of information here as many don't fully understand how it all works 
together and the issues that are preventing airlines from becoming compliant. It's a good start though. We've started 
seeing PCI specific language in recent specification documents for common use systems, but implementation of things 
like encryption for example becomes somewhat problematic when a given common use system at a gate or ticket counter may 
run any of 30 or so different virtualized payment applications depending on the airline that need to be handed off to a 
multitude of different geographically separated back end servers and payment processors.

Did you know a travel agent working from his home (or anywhere for that matter) uses the airlines merchant code and the 
airline is responsible for ensuring that home business is PCI compliant with regards to transactions made on their 
behalf? Does anyone seriously think that is manageable? I don't.

What about airports that refuse to comply and require airline tenants to use their shared tenant services 
infrastructure for voice and data under their contractual agreements? What about international airports that would like 
to cooperate if they even knew what PCI was but due to their geographic location (3rd world) and the readily available 
technology compliance is a veritable impossibility? And how do individual QSA's handle that situation? Seems to be 
different every time (I think we are all familiar with QSA inconsistency issues - my biggest gripe with PCI) and the 
airlines usually get hosed. Airport has no contractual relationship with the bank so there's little incentive for them 
and it's not like the airline can go to a competing airport in most cases unless they are willing to accept the lost 
revenue from not servicing that market. If the airlines are non-compliant, the airports are far far worse. 

One thing that has been proposed to the Council is the concept of "PCI Ready" which basically states that for 
everything under my control, it complies but I do not guarantee that any other service providers I rely on are 
compliant as well. There is no end to end compliance and this really opens a can of worms by setting a dangerous 
precedent. I have not heard of any official response but if it was not communicated within the SIG I don't know that I 
would have.

My personal preference, and I can't believe I'm even suggesting this, is to forget about the concept of "PCI Ready" and 
require merchants to only use registered and compliant service providers. At some point service providers need to be 
held contractually accountable and unless it's mandated by the Council or some sort of global agreement on behalf of 
the banks I don't see individual merchants doing this in any consistent manner. The other thing that could 
theoretically work is legislation mandating PCI (or similar) compliance for any entity that stores processes or 
transmits CC data but I have zero faith that such legislation will achieve the desired results due to the incompetence 
or corruption of our lawmakers.

Does the air travel industry need to completely change their business model to comply with PCI? Not likely. 
Compensating controls can certainly come into play here but some gaps just can't be compensated for.






________________________________
 From: David Freedman <freedman.j.d () gmail com>
To: PaulDotCom Security Weekly Mailing List <pauldotcom () mail pauldotcom com> 
Sent: Tuesday, January 24, 2012 9:18 AM
Subject: Re: [Pauldotcom] CC numbers stored on planes
 

I love Robin's point about being concerned with the assessor's abilities to explain why something is in scope and what 
is considered out of scope.  We have recently gone through our yearly PCI compliance 2.0 and there was a big debate 
over what was in scope due to the differences between last 4 of a PAN and full track data. 


Tony - how did the SIG work out?  Did it provide solid compensating controls for the airlines?  I mean this with honest 
curiosity as I think it is interesting that there are some airlines that are not PCI compliant.


 
>  
> On Tue, Jan 24, 2012 at 7:56 AM, Tony Turner <tony_l_turner () yahoo com> wrote:
>
> Many airlines are not PCI compliant. There are complexities to their business model with airports, common use 
> platforms and travel agents that create significant difficulties. This was why we created an informal SIG for Air 
> Travel PCI. Bottom line, don't assume. 
> > Sent from Yahoo! Mail on Android 
> >
> >
> >
> > ________________________________
> > From: Scott Rosenthal <scott.r.rosenthal () gmail com>; 
> > To: PaulDotCom Security Weekly Mailing List <pauldotcom () mail pauldotcom com>; 
> > Subject: Re: [Pauldotcom] CC numbers stored on planes 
> > Sent: Tue, Jan 24, 2012 12:42:11 PM 
> >
> >
> >
> > Hi Robin, here in the states many if not all of the airlines are required to be PCI compliant. That being said those 
> > devices should be considered in scope by the company that is performing their assessment. If they are truly PCI 
> > compliant, all of the credit card numbers stored on those devices should be encrypted. I hope that helps.
> >  
> > Scott
> >
> >
> > On Mon, Jan 23, 2012 at 10:13 PM, Robin Wood <robin () digininja org> wrote:
> >
> > I've been on quite a few planes where the duty free and the bar allow
> > > people to pay by credit card. I'd guess the data is stored and
> > > downloaded to be processed at the end of each flight, if so, that is a
> > > great target for card thieves. I wonder how many are actually properly
> > > protected?
> > >
> > > Robin
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com/
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com