Purpose
To determine whether the Central New York Regional Transportation Authority (Authority) complies with Payment Card Industry (PCI) security standards. Our audit scope covers the period January 1, 2015 through June 24, 2016.
Background
The Authority provides transportation services in Onondaga, Oswego, Cayuga, and Oneida counties. The Authority accepts credit cards as a method of payment for bus fares and parking. All organizations that accept credit cards as a method of payment, such as the Authority, must comply with the Data Security Standards (DSS) established by the PCI Security Standards Council (Council). The PCI DSS is a set of technical and operational requirements designed to protect cardholder data. Entities that do not comply with PCI DSS may be subject to fines and penalties, and lose the public’s confidence and the ability to accept credit card payments. In calendar 2015, the Authority reported 40,822 credit card transactions totaling more than $900,000 in revenue.
Key Findings
- We reviewed select operational and technical security controls over the protection of cardholder data at the Authority. Based on our review, we identified several matters that management should address to improve the Authority’s information security program for cardholder data and to help ensure it meets PCI requirements.
- The Authority has not yet developed and disseminated an Information Security Policy that clearly defines information security responsibilities for all personnel. Also, it has not inventoried all devices that process cardholder data, implemented a formal risk assessment process to identify threats to cardholder data, ensured all devices that process cardholder data are physically secured, or implemented appropriately strong network user account and password controls.
- The Authority could also improve certain other technical safeguards over the cardholder data it processes.
Key Recommendations
- Develop strategies to enhance compliance with PCI DSS.
- Implement the recommendations detailed during the audit for strengthening technical controls over cardholder data.
Other Related Audits/Reports of Interest
Office of Information Technology Services: Security and Effectiveness of Department of Motor Vehicles’ Licensing and Registration Systems (2013-S-58)
State University of New York: Compliance With Payment Card Industry Standards (2015-S-65)
John Buyce
State Government Accountability Contact Information:
Audit Director: John Buyce
Phone: (518) 474-3271; Email: [email protected]
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236