Enterprise Applications - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Enterprise Applications


Compliance Can Be a Bumpy Ride



 By: Cameron Sturdevant
2007-10-19
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Enterprise Applications story.


Rate This Article:
Poor Best
PCI DSS audit takes Denver airport on a challenging—but necessary—journey.

Denver International Airport is among the busiest airports in the world and boasts one of the longest runways in the United States. The airport also conducts a lot of business using credit cards. DIA recently completed its Level 1 (more than 6 million transactions per year) PCI DSS (Payment Card Industry Data Security Standard) audit, a journey which had its fair share of turbulence.

However, as DIA CIO Robert Kastelitz recounted to eWEEK Labs, noncompliance was not an option. "You really dont have a choice but to do it," Kastelitz said. "The bottom line is if you dont do it, then the hammer [the PCI member companies] hold over your head is that they wont let you take credit cards anymore."

In January 2006, when DIAs effort to become PCI- compliant began in earnest, the airports IT organization found that many of the elements required for compliance had been satisfied by a recently completed project to implement network best practices throughout the airport.

Resource Library:
As Kastelitz explained, "When we started looking at PCI, many parts were already in place. We perfected some of it and initiated some of it." For instance, Kastelitzs team was already conducting network audits, which included penetration tests and vulnerability assessments, to ensure their network was secure.

"As far as maintaining an information security policy," Kastelitz continued, citing a separate PCI requirement, "we just had to perfect that. We had already built and secured a robust network. We just went back and reiterated that we were where we needed to be." However, DIAs compliance program didnt come without pain. For Level 1 organizations, PCI mandates that network audit information be made available on a quarterly basis for perusal by an outside audit company.

"It is costly; it does suck up resources," Kastelitz said. "You have to pay the auditor to come, and most people dont pass the first time through so you have to pay the auditor to come back."

"As a Level 1 merchant, its not just about the cost, but its enabling the business," he said. "We run internal audits, and we commission a Visa-certified auditor to come in on a quarterly basis, and we produce our annual compliance audit."

Auditing aside, the most difficult part of the PCI DSS process for the airport was ensuring that policies and procedures were kept current, which was a big chore for DIA IT staff, Kastelitz said. Another hurdle that DIA faced was a slew of applications that werent ready for PCI. "The biggest challenge we had were the number of applications that werent prepared for PCI requirements. We rewrote a lot of application code," said Kastelitz.

Moving forward, Kastelitz said PCI compliance will be a check-off requirement for applications under evaluation by the airport.

For instance, applications under consideration at DIA must comply with the storage policies that Kastelitz and his team developed for satisfying PCI guidelines. In light of PCI requirement 3, which governs the protection of stored cardholder data, the airport decided to retain no information at all. Kastelitz worked with other airport stakeholders to resolve business operations issues around not having the cardholder information on hand.

Kastelitz said he has taken the PCI DSS compliance experience and used it to further his effort to implement best practices throughout the network.

Check out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.



  Reader Comments: Compliance Can Be a Bumpy Ride
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Enterprise Applications Articles          >>> More By Cameron Sturdevant
 


x}ks㶲*Q3")Y#MɖleXq&UZ$CR~${rkĹ-@n4w|Aȅ=&ǘYNcSݣw&w$wvC 4I-*rdxj9%GtjY)j~,slr:;;#|6%}w *s#AA%j'AP`NڮlN1ecs[gp,FmgMd{=B ~5;(CJ}8KE!eG$oQX}؁䛿Q=2tS6BT!|HT#ir!GQus};/ !fGikidh9-r4=yͰ { /\1r.bLѼ[ *YsDƑIj@sd"L3ýtXF?Dc9LN\#ZiSӂhY{lɧ9\gԏPL0H<~0{ Q 78QK ̋+0Ϟ~b>tI ΋2 ˆ- :۱l<$!C焍ERwC'&>dPt-2訖ñʲf g+nmަ[GT:(TX/(GG>oچs[={0q)sܼL?ͧ_zJY-ӻl_HQPwٷ@ ږkZX8Oi\v..> A6 kɿ0QT&*rx4M2I >a,{/BrMwJQqᖃbA) KHOr ])2, [lni][W^[')_̲1<JP~(#3K`W:K֟㝩S9m<_sܴ/ݛ9^fKCVw.!}O}fr2GrI/o,bcQ -F`X@7? iP2|r* ?a^S;G7ۯ-zppf=Mf #dLil.̻Zh-Alo*Kh,r5&@S{~$] uŦ])!exIK _VPJB؇BR~nW(U$ٛ"G;z̈\RRG1Al8{Ø&Q9/-j\gpʢ9QY + \M޼G+<O[V.~zY 8^%g 5F ie4?$!VG5MB|ǵMJPsz U95lb(7Z`Lm,5,Ltͬ Y0`贆;mJ{ϧ0gPP? ƠM/6G˥~n>1 @ Ln4` p|gk͇v93 a {>0sJ}+j$ -Dp 0I0dg&S yGLνbrgoMa~(wnPj>X^0vjq.Hpy8@[qk3B7}`NZkwiiC1).%>2Rs C #RRT$C{$hI#r Bг1l`@o!`G`[X/HX-'RP*mzB#;Tz(=*-nqR%a 534YIjL=?꺾l3!U"'bXr`Y \h+e)>{BOMn|$o<3_O#k[} J%zS.z: %r%M5b$T`CfL 6yֹyBNV{rKkFM'WR{WP*SNT$3Q2hӧL)Eۋ)I :S-8G/4- {'ٲRb-YV^KՕËpz9(ik)T?Z!d[l00^Ԣ.(-P|U$"!tsqɴC /0<MȆТ iM*c9m _jA.r_ cd25]ĪRċXee[ l Joh tolĶCex5fz' As,Cz[{fl1n: 8yy %2$N?&B\i @9Z'EAg}1Jx=e8, XbO`]F\Czf ;ikqcؕ.RB|zjN X>0|T'@pdZ`0R7U?4wҵj )ՃU L_φRT՘Iڏ;&_Gƍ [d9-0cY}6eDm&k# Q^-D:= G.6UT85[.O#BE-DdqxS??4XVƎ< ?]v3zm6FA? %hTjcfNf M`.8sE% Ww`Sބw& 0}yDpFF ‘"=jA46\Tbr>+ WT07pn) RUԒ!Z0D^~v V KbIڶhmzTyBQ_ssa*/W3g Z IR-zrʪZJ8+l+;f~~ć8 iߥ: 9pF#~y850N܏7TFa Y< ~};݂/r=2:?f ; ;0E<&&{H(:3t%]U>V:vʼnG ֽ x U ?;[3^>F'E{h0 qDLUiI[$ho yDuUIA G6q~e@LsZ0b ^+(T?5UT*~ejoB64F@2( Cs]xd,b3]|ľP}XD"l^!yUq@WIz3MdhH5;ӟNNͯ6>37c&-nfuwm_ɣorfF/WR=>` $Ti+h½ "/^h>W9.^ٸ y;@<uP(%Pm0hRYpg=HY9޼^*9ez6eVA~TevQ* 5MУRv3Wnl*r6>L=;L4F;&.E;["qDdkŎr {Q!<4`t(hN[6`]YQ.mhn1] g>qDv=j n` kAb_|RJJ\ $*&Aekrฦԭ7N7/UU={E~w9فo9 |\V*Ń GrF2RDBZAbMxœbI4 mKA`?q%%{ yr1#QUaNT+ˬhqN v>¨ UeQbdE1 _* |!DNnI1$K~b=^F}ϱpsfnow/ +9oYAZrvй6`1"/IueSjwg-~.9z˾ȂLAIP 4t?"ikCN9}Ul_I׼ 6|v:Q 72ٞD4lrӸ>k_/qt/h_cxhd.'AGԸh]Dd0srj\6bWL` xѤ""ԃsxH/ [^ @ tk,<B3ZMbl VDq8a/e~Yx_aߪ,d<0.WtzZE9pǀzB,2l._ci%l9(1 `(ԩ cA?OFrA&zRGdgI9QA Rt4zUrڿpע~}CSB'T +'I^VR6T$-0 P+闌frZ!.9[Urs@Ĵ&{>g%}c#y~ςVpl:RC}ҸB}$XyC8Ţb'_HjpUKユU^Ǣ?<''xszT*{Mݝf0iz37N⍌#syBO+ GWw ./v6gNȣ.k{>ɘ A/U#lm D/X4>sq|oCT'wOtdkwX /yTw^^SG25[dؕvGvOsysP!OKJ$٘NBEWBЭwwCȪ̅S.{ۉ7R^q+<ctL_:`@L6COz= f#{zi-9_3{Kw x?*~C]& {~ ]ݣPIݣwww}=Ғ(r۝ZDNjjiNr\"~^Z䑽XHڽ]BuU}s5Oy'K-;~lr? G OFxVw98Grs&8QId=h}vƔE i#ĠHߙrEs 56DN Xw+Oiƿ'!IFܱSo-*oO_Oo*N{cE|3̔ ugZ?n1|cM-%p$ qI7̼V&&( ZГqk+Bڽ"ѡc zN $C"H|.܏,=>܊R0a#3Htc1&^TkE$vL]3=DEj3  ;ie1kA]aĉZv`fHN۝WB Ṃyk+U]Fݣ/F-7Ue".C\'l<eA 2q9 Cq$|I$a&!9CU-EʦU})"a ڵ\ڡ>]cH`Bc6FD-D C(ha7a=̳HR^'4+ْvÈV8DyE,.G^}M z`Jlq=f?l ws!_U]l{cZ|- i%|Qx U>Fk:9cD9Nوg" HDC?B張h!_K5IIjӶmccB C]?0-A$CR"" vuՓ4_OL6g8p8{π%×y2']kZR|{< nӭ^CC`?!7mQ/?_.L{L)H7$2ΧRZu?gx~〇sM`Hr^gJj`M5K  D]LΟ v)D1Z,B"=8'6ܐ/hـ ?I_?%-S؉oW6B6sTpj+d߯^d:w,=}=rCuض)lx6uɵi?4ٔn5/$,&gy)u^[56lED7o:k*|t ?R.R &lQ\{= l/tY&CP+Mf'VS{Ͳ1t2eG1+\=0o1^PB/Cr%ԟ"zgf^a'5,`ΥՂ*fxk~kCX$ B7BIwP_..>z2K <r@s}ÊyT9.^h,`뵟Hޟ^]"Ӧ쳂,6-^Tf~:o_<1oT+죵먫MaJ@73[⼱87- }ՙzҙ#Μިa-kV7m1LLrJVnᩡcC_ eϭ˓AS6@;Lt,? †6-po /cP#ķzf7t4n=L2yڦן@(=C-rd;LN%5~?6mPȽ?^t[ذ:pX~0E jq{Os]@Vu!5bԹ )*g| F!}!g;ϖ- @ɼ=Ԭ$56fX %I"q0MkzBQqD3˅o O&:XhJq5]D/ޮcX&9N:Mu{*ȸ  e=-[_UiX|2О$J#cS &p6P]}zUcxjbNCq O5s؋~l9u<2=!NdãEvW) xː}-6Ӫ=i ZiD4 IÜR4I}l~Rx@ˬ@amIYx K=MJ).b y :&Mo#oY?&.#u(,@N;`N] 4;8~'̮~ j~h!_<9ϤNɸQ?& <7`nhULݰ=Ob#ʊךQN|:d:ZGEsnbb(Zl@,9$#|Ȳh ; Ku^^я T-~'JOYDi.n`7$'0-glj+I#샒=%hYwĸWOw{$CM{64#uT]R0_/XaY6[P&gBA8AXJo,"EhvyapD]bɠqt(h#8l&vf-& 95͢E/Cts%5PQ咋|?79¨ӊ,w)]dDo-?1j֘1h)B UٚAK5 @JVHt3nMQuhgüZanDZZ]u7iSx69AaPC @WDu#i BęNgvAtl&v*1&J)tg|{HI5& ǖ^t~usι w1*v0̊ےVm4J۹a6E |2>slST\.#F_XE>^F0+Ę7Z;.T\SG%[..ڰ+71儔6JzM[E L(ZcL! SO L%& H!gYiv'Tz' K24/x۹BBU}xYא5 ]@n8ܒ:i$G LQ:coKI`*8NXpA>po<|WTʕ=Pz9jNzـjcE~E:td~NP_ԓ= K8. hŘіIE@YCYhEf."T(`P0\M Ѿ Eo]*!;RP_{st>}GT#a]<3xϾS}b}Ə 'l I<RX+/ @Mm=Y~}`H{φ\o|I7"7|$rI8!i oZeO9P}He t03)F2*mGM=/׽nrj5-i`KkH 5" sFmRTaFctkn ~'F;mGCnC㥶N#{K}%9zH"Vqyy 4?X_$RS3})q(U 7TYPk,(Ϗpk2%pH0dfa.) &X`k,rZ`j߀dz?,GGA~oe~rkt:ޱ 25{g;. 9 :UeOLg>wC` f> crW7Υi~u$P!%h$bc<=9A1X- 7z~JbV} =<RXX_1[> MꪂOJѵ$9bU-CVo=7)^ۇ\g U^gn VH:+^@0 92b24ܽA#_Чv#Do`9ꍫ{M"ǽUݽ䷚1 k‰/WQq{}ٺn_sSӃSf.R0mw 5ebvʌTNcͅfU,xE^r/J>]rNMo )nu:e+WMj*^m\;^dO@/P~(By79 4h2Odu)4>g0}ϫ۹y{uy0v?Ӿ(3e/E|XꝌ ;ɠoɠOddg(_~/P~Q(GFy;0{ s!?0ׅw3?]/ rqW*5u^=埁>g(U} Kn&&oon2/IR: 9k\qFy)W?REV SV9l.O3v=yIS_xLc^ Ok}ʦy_mGoޝGfj2"T_:dm2O ʕcgev'A:*%/u|Q7[ ňC?oPxxW_>0JӃ{>؃ Һl\ g-ОMkE>A7n"gB837@je2 ErR~c8kjx7Ctzs֦@$;?薉#5sgC_(+J9wwrDiӃ="BQ]FԂ*R%}a` e場_,.g /(@'ػ_o*F0fz!OJ1=tc­dOo1;BH"׏ ѱ[F͠w*6T|5f.)^uj^"U3*Ece S7J̅ww;SЫِD@.^3L6m|7mi&`ɮ41lKfu¿6y8H&n3KфY Døxl466;"B~ S5#S7dIdp!gB[tacxJ,6+nk`Q{rÄ#6O Er؄\M.ɱwؼcc6H_,\mgtnCk:.vܙ%O_ಓ 0{IBnbZ(>/~~$'ٝ]FޣfsHL#bWl,&1{;Kh6Կsg:-C{)B9 H|Y\+֊,!#1Y ]кZsJdAMKوcӄ2{\`9ao5RFX`nLZԝ86Zd_9L7>q[?:cPhQ"qm(!30Qps4J(KN{A}N垓$Wg_6 b M\w]f@g^l(VxHDZ<ĺfKlÏlXۯ6i>Zdt[BI<ŷB^y|TLlsD?>7[S1U)֜6/gзd&%_7j(&\`ъU%/AG*9K7"iw ߠ(5+yJ? 6T|- 5nX">0l?'6}N5+H' "@cy 'L} 烙xs A]=_vs[pE֦"QTDoR ΋?53=_-rxgs]@EqDgPy566s֨Na]|˼KAўXm0w6L/#]ۚ':K$~Al=fu,~ e1.-Sܟ=C2e[ K e$i)qSGg-{⋈5,Wck--<P0_A~:?c9Vqٶ7GL}մ-` j+7DmEtA<ێwyW\TVc׶2X!&I;s[__@>G|n}#:1F`]cc/ƫRdGB^#Mnl-^^ktaÿ( aaɗvX 'Ɣ ϰ"- N9LgѼ8#K1E~zpP0U9w,ݛʽA3FElR$¨B=3Ay4O>iA@`U3zfwzЮ3q-M'Sga+ecPMYVc.G\L*@=&#`#xb<nRh1)Lb'kI' R la, :r3 k{EV Z.t1R/yq{Ϣaʩȩ(vU_|IѬd;j +3GO{ |I&0X+.9 ^EkN~g!˾t/Jzfk{`gɳEK+O(QF>;.)>^tcohi-/=n|:~lJaE e鑢%!t4!ջj4˳dEg0lm\}l6n_M4jj\$I#[ob[1b$- ].Ɂ_-nt o]F'a1TU\J\WK$Ĥ{eh5