Compliance Can Be a Bumpy Ride

PCI DSS audit takes Denver airport on a challenging-but necessary-journey.

Denver International Airport is among the busiest airports in the world and boasts one of the longest runways in the United States. The airport also conducts a lot of business using credit cards. DIA recently completed its Level 1 (more than 6 million transactions per year) PCI DSS (Payment Card Industry Data Security Standard) audit, a journey which had its fair share of turbulence.

However, as DIA CIO Robert Kastelitz recounted to eWEEK Labs, noncompliance was not an option. "You really dont have a choice but to do it," Kastelitz said. "The bottom line is if you dont do it, then the hammer [the PCI member companies] hold over your head is that they wont let you take credit cards anymore."

In January 2006, when DIAs effort to become PCI- compliant began in earnest, the airports IT organization found that many of the elements required for compliance had been satisfied by a recently completed project to implement network best practices throughout the airport.

As Kastelitz explained, "When we started looking at PCI, many parts were already in place. We perfected some of it and initiated some of it." For instance, Kastelitzs team was already conducting network audits, which included penetration tests and vulnerability assessments, to ensure their network was secure.

"As far as maintaining an information security policy," Kastelitz continued, citing a separate PCI requirement, "we just had to perfect that. We had already built and secured a robust network. We just went back and reiterated that we were where we needed to be." However, DIAs compliance program didnt come without pain. For Level 1 organizations, PCI mandates that network audit information be made available on a quarterly basis for perusal by an outside audit company.

"It is costly; it does suck up resources," Kastelitz said. "You have to pay the auditor to come, and most people dont pass the first time through so you have to pay the auditor to come back."

"As a Level 1 merchant, its not just about the cost, but its enabling the business," he said. "We run internal audits, and we commission a Visa-certified auditor to come in on a quarterly basis, and we produce our annual compliance audit."

Auditing aside, the most difficult part of the PCI DSS process for the airport was ensuring that policies and procedures were kept current, which was a big chore for DIA IT staff, Kastelitz said. Another hurdle that DIA faced was a slew of applications that werent ready for PCI. "The biggest challenge we had were the number of applications that werent prepared for PCI requirements. We rewrote a lot of application code," said Kastelitz.

Moving forward, Kastelitz said PCI compliance will be a check-off requirement for applications under evaluation by the airport.

For instance, applications under consideration at DIA must comply with the storage policies that Kastelitz and his team developed for satisfying PCI guidelines. In light of PCI requirement 3, which governs the protection of stored cardholder data, the airport decided to retain no information at all. Kastelitz worked with other airport stakeholders to resolve business operations issues around not having the cardholder information on hand.

Kastelitz said he has taken the PCI DSS compliance experience and used it to further his effort to implement best practices throughout the network.


Check out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.