in the Parking Industry

With the growth of social media, increased use of cloud storage, the rise of alternative payment platforms and options, and more—all conducted with a device we carry in our pockets— companies and organizations need to ensure their systems are secure and their customers’ data is protected.

SHUTTERSTOCK / ALEKSANDR_A / GOLDEN SIKORKA / ICO MAKER

A BIGGER PART of our everyday lives, data security has quickly become one of the most significant issues of our time. With the growth of social media, increased use of cloud storage, the rise of alternative payment platforms and options, and more—all conducted with a device we carry in our pockets—companies and organiza- tions need to ensure their systems are secure and their customers’ data is protected.

That includes parking operations. The rise in alternative payment options has been a major ad- vancement. Gone are the days of simply feeding quarters into a meter; in many places, patrons can pay with credit cards, EMV options such as Apple Pay or Google Pay, or an app. While they’re conve- nient for customers, these payment options can be vulnerable to skimmers or hackers. Additionally, as more operations implement parking management software and data analytics tools, there is greater risk for security breaches on computers or servers.

One of the most important reasons to maintain secure systems is to protect your organization’s reputation. We are all familiar with some of the large data breaches that have made the news, and nobody wants to be the next headline. Additionally, an op- eration wants to ensure that customers can trust it with their personal information, whether they are paying for parking in a garage or lot, using a meter for on-street parking, purchasing a permit, or paying a citation.

There is also significant financial risk that comes from a data breach. If an organization is found liable, it may be on the hook for whatever cost it takes to remedy the situation. There also may be some loss of business due to the harm done to the organization’s reputation.

Having secure systems frees up internal resources. The more secure an organization’s systems are, the less likely it is to have security issues. This allows staff to focus on more important issues rather than incident response, and enables them to continue to develop and improve security measures and invest in enhancing systems.

Cardholder data will likely be the largest priority for a parking operation, and there is a global standard that all parking operations should follow. Developed by the Payment Card Industry (PCI) Security Standards Council, the PCI Data Security Standard (PCI DSS) “set[s] the technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.”

At the bottom of the page is a summary of the goals and requirements for PCI DSS.

PCI compliance is a continuous, three-step process. ■ Assess. Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities. ■ Remediate. Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary. ■ Report. Compiling and submitting required reports to the appropriate acquiring bank and card brands.

A parking operation falls under the merchant side of PCI DSS. For merchants, there are four levels of compliance based on the number of credit card transactions processed per year. While the PCI DSS is the same at each level, the requirements for reporting of compliance varies, becoming more comprehensive as the number of transactions increases.

■ Level 4. Less than 20,000 credit card transactions per year For relatively small merchants in this category, the reporting requirements for PCI are determined by your acquiring bank. They are typically similar to the level 3 requirements.

■ Level 3. 20,000–1 million credit card transactions per year At level 3, an organization is required to complete an annual selfassessment questionnaire, as well as conduct quarterly vulnerability scans of its network. These scans must be conducted by an approved scanning vendor (ASV), a PCI-approved organization that uses data security services and tools to check compliance with the PCI DSS external scanning requirements. A list of ASVs can be found on the PCI Security Standards Council website.

■ Level 2. 1–6 million credit card transactions per year Level 2 requirements are largely the same as level 3, with the difference being that the annual self-assessment questionnaire must be filled out by an employee that has completed an Internal Security Assessor course, or by an external qualified security assessor (QSA).

■ Level 1. More than 6 million credit card transactions per year Organizations that fall under level 1 must have a report on compliance completed annually by an independent QSA. The report is a formal audit covering the entire organization, making it more comprehensive than the self-assessment questionnaire.

1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks

5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes

12. Maintain a policy that addresses information security for employees and contractors

be decrypted anywhere outside the processor’s environment. mers is also essential to minimizing risk. Even P2PE card readers can potentially be breached by a skimmer, with unattended kiosk equipment being particularly vulnerable. An operation should ensure that the person conducting the inspection knows what they are looking for, and if they do find something, leadership should do whatever they can to track down the source of the skimmer.

A vital part of PCI compliance is having an incident response plan in place to deal with a potential secuSOURCE: HTTPS://WWW.PCISECURITYSTANDARDS.ORG/PCI_SECURITY/MAINTAINING_PAYMENT_SECURITY rity breach. The key elements of an Risk ■ Defining roles and assigning them Risk is a significant component of maintaining secure systems to specific people. and achieving PCI compliance, and education and security ■ Laying out teams to manage different aspects of the response plan. awareness are essential to doing so. Educated staff are the first ■ Providing contact information for all persons involved. line of defense against data breaches, as encryption, antivirus ■ Providing contact information for key vendors, law enforcesoftware, and firewalls can only do so much. Because of this, ment, and card brand breach hotlines. PCI requires security awareness training for staff that covers ■ A template of steps to follow for certain scenarios that are gecommon information security best practices, such as how to neric enough to apply to any incident. identify phishing emails and password best practices. It is also ■ Training staff and testing the plan on at least an annual basis. important to keep employees abreast of the latest social engiIt is crucial to not just have a template in place to work from, neering tactics that hackers are using, such as voice simulation but also to include both known and unknown scenarios. The last and impersonation. This training can be developed in house or thing an organization wants to do is be scrambling to figure out conducted by a third party. what to do in the middle of an incident. The more that is pre

It is also important that all systems throughout an organizadefined in the response plan, the easier it will be to respond to tion are kept up to date, whether they are used by staff or cusand remedy the incident. tomers. Security software, such as antivirus, should be updated The technology boom of the 21 st century has brought many regularly as new signatures are released several times each day. new challenges to our world. Data security is one that has imTo maintain PCI compliance, all software and underlying oppacted nearly every industry and organization, including parkerating systems must have routine patches applied on at least ing. To combat the increased threat of data breaches, parking a quarterly basis. Critical security updates should be installed operations need to prioritize maintaining secure systems, espewithin 30 days. It is important for staff in an organization to keep cially with regard to credit card data. informed on available updates for software and operating sysMaintaining PCI compliance should be the first step a parktems. This can be done by subscribing to vendor email alerts or ing operation takes, aligning it with the latest global standards monitoring web forums. on processing transactions and building trust with its customers.

From a parking perspective, implementing PARCS or pay Two major pieces of maintaining PCI DSS are risk and planning station solutions with point-to-point encryption (P2PE) is a for emergencies. It is imperative for a parking organization to great way to reduce risk while making PCI-DSS compliance educate staff, maintain secure systems, and have a plan ready if much simpler. With P2PE, credit card data is immediately enan incident does occur. When you have these things in place, you crypted by the card reader upon insertion of a card, and it can’t can rest a little easier. ◆ Card data never touches the customer or vendor network—only ANDREW BAXTER is security and compliance the processors can read the card data. manager with T2 Systems. He can be reached at andrew.

Regular physical inspection of parking equipment for skimbaxter@t2systems.com. incident response plan include: