PaulDotCom mailing list archives
Re: CC numbers stored on planes
From: Tony Turner <tony_l_turner () yahoo com>
Date: Tue, 24 Jan 2012 07:09:00 -0800 (PST)
Not yet. The SIG is moving very slowly. The only things I've seen so far are a comprehensive problem statement communicated to the card brands and the council and a conscious effort to get speakers from PCI council to speak at air travel industry conferences. There's a serious lack of information here as many don't fully understand how it all works together and the issues that are preventing airlines from becoming compliant. It's a good start though. We've started seeing PCI specific language in recent specification documents for common use systems, but implementation of things like encryption for example becomes somewhat problematic when a given common use system at a gate or ticket counter may run any of 30 or so different virtualized payment applications depending on the airline that need to be handed off to a multitude of different geographically separated back end servers and payment processors. Did you know a travel agent working from his home (or anywhere for that matter) uses the airlines merchant code and the airline is responsible for ensuring that home business is PCI compliant with regards to transactions made on their behalf? Does anyone seriously think that is manageable? I don't. What about airports that refuse to comply and require airline tenants to use their shared tenant services infrastructure for voice and data under their contractual agreements? What about international airports that would like to cooperate if they even knew what PCI was but due to their geographic location (3rd world) and the readily available technology compliance is a veritable impossibility? And how do individual QSA's handle that situation? Seems to be different every time (I think we are all familiar with QSA inconsistency issues - my biggest gripe with PCI) and the airlines usually get hosed. Airport has no contractual relationship with the bank so there's little incentive for them and it's not like the airline can go to a competing airport in most cases unless they are willing to accept the lost revenue from not servicing that market. If the airlines are non-compliant, the airports are far far worse. One thing that has been proposed to the Council is the concept of "PCI Ready" which basically states that for everything under my control, it complies but I do not guarantee that any other service providers I rely on are compliant as well. There is no end to end compliance and this really opens a can of worms by setting a dangerous precedent. I have not heard of any official response but if it was not communicated within the SIG I don't know that I would have. My personal preference, and I can't believe I'm even suggesting this, is to forget about the concept of "PCI Ready" and require merchants to only use registered and compliant service providers. At some point service providers need to be held contractually accountable and unless it's mandated by the Council or some sort of global agreement on behalf of the banks I don't see individual merchants doing this in any consistent manner. The other thing that could theoretically work is legislation mandating PCI (or similar) compliance for any entity that stores processes or transmits CC data but I have zero faith that such legislation will achieve the desired results due to the incompetence or corruption of our lawmakers. Does the air travel industry need to completely change their business model to comply with PCI? Not likely. Compensating controls can certainly come into play here but some gaps just can't be compensated for. ________________________________ From: David Freedman <freedman.j.d () gmail com> To: PaulDotCom Security Weekly Mailing List <pauldotcom () mail pauldotcom com> Sent: Tuesday, January 24, 2012 9:18 AM Subject: Re: [Pauldotcom] CC numbers stored on planes I love Robin's point about being concerned with the assessor's abilities to explain why something is in scope and what is considered out of scope. We have recently gone through our yearly PCI compliance 2.0 and there was a big debate over what was in scope due to the differences between last 4 of a PAN and full track data. Tony - how did the SIG work out? Did it provide solid compensating controls for the airlines? I mean this with honest curiosity as I think it is interesting that there are some airlines that are not PCI compliant.
On Tue, Jan 24, 2012 at 7:56 AM, Tony Turner <tony_l_turner () yahoo com> wrote: Many airlines are not PCI compliant. There are complexities to their business model with airports, common use platforms and travel agents that create significant difficulties. This was why we created an informal SIG for Air Travel PCI. Bottom line, don't assume.Sent from Yahoo! Mail on Android ________________________________ From: Scott Rosenthal <scott.r.rosenthal () gmail com>; To: PaulDotCom Security Weekly Mailing List <pauldotcom () mail pauldotcom com>; Subject: Re: [Pauldotcom] CC numbers stored on planes Sent: Tue, Jan 24, 2012 12:42:11 PM Hi Robin, here in the states many if not all of the airlines are required to be PCI compliant. That being said those devices should be considered in scope by the company that is performing their assessment. If they are truly PCI compliant, all of the credit card numbers stored on those devices should be encrypted. I hope that helps. Scott On Mon, Jan 23, 2012 at 10:13 PM, Robin Wood <robin () digininja org> wrote: I've been on quite a few planes where the duty free and the bar allowpeople to pay by credit card. I'd guess the data is stored and downloaded to be processed at the end of each flight, if so, that is a great target for card thieves. I wonder how many are actually properly protected? Robin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com/_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- CC numbers stored on planes Robin Wood (Jan 23)
- Re: CC numbers stored on planes Bacon Zombie (Jan 24)
- Re: CC numbers stored on planes Scott Rosenthal (Jan 24)
- Re: CC numbers stored on planes Bill Swearingen (Jan 24)
- Re: CC numbers stored on planes Robin Wood (Jan 24)
- <Possible follow-ups>
- Re: CC numbers stored on planes Tony Turner (Jan 24)
- Re: CC numbers stored on planes Scott Rosenthal (Jan 24)
- Re: CC numbers stored on planes David Freedman (Jan 24)
- Re: CC numbers stored on planes Tony Turner (Jan 24)
- Re: CC numbers stored on planes Robin Wood (Jan 24)
- Re: CC numbers stored on planes David Freedman (Jan 24)
- Re: CC numbers stored on planes Scott Rosenthal (Jan 24)