MARTA’s Road to PCI Compliance Introduction: Thank Regan Introduce Self Introduce MARTA Formed in 1971 as a bus system. MARTA operates a network of bus routes linked to a rapid transit system consisting of 48 miles of rail track with 38 train stations. Presenter: Yolanda Curtis, PMP AFC Project Manager

MARTA’s PCI Requirement As an acceptor of payment cards, MARTA is required to certify its Automated Fare Collection Payment Application to the PCI DSS requirements. MARTA is classified as a Level 2 merchant; processing more than 1 million credit transactions annually. PCI DSS certification requires a certified Fare Collection System including Payment Application software to be developed by the Fare Collection vendor. This software operates in the TVM, Ride Store TOM, and Fare Collection Central System. MARTA’s PCI Requirement: More than 95% of MARTA patrons use major credit/debit cards to purchase Breeze products. Based on the annual credit/debit card transactions processed by Breeze, MARTA is classified as a Level 2 merchant Level 2 Merchants process more than 1 million transaction annually Our merchant bank mandated we certify our Breeze system for PCI DSS v2.0 compliance. The certification required an upgraded Payment Application, TVM, TOM and Central System software.

AFC Overview The MARTA Automated Fare Collection system also known as Breeze entered revenue service in 2005. The system supports Regional operators including Cobb County, Gwinnett County, and Georgia Regional Transit Authority, and Atlanta Regional Commission databases. There are over 1 Million active Breeze cards system wide. COMPONENT QTY Automated Fare Gates 470 Automated Fare Boxes on Big buses 626 Light Validators on Para transit buses 175 Ticket Vending Machines 349 Ticket office machines 16 Automated parking gates 50 High Performance Encoding Machines 6 Money Room Facilities and Equipment 1 Central Computing System (1 Online, 1 Stand-by, 1 DR, 1 QA) 20 AFC Overview: AFC system is called Breeze, installed in 2005 System supports 3 Regional Operators Over 1 million active Breeze cards in the system Read Component #’s

AFC PCI Project Scope Central System Improvements Improved credit card security management More patron search capabilities Database Security Data at rest encryption higher security Separated storage of credit card information Ticket Vending Machine and Ticket Office Machine Higher security PIN PAD for debit transactions New internal computer New Operating System (Window 7) Remote Monitoring of all AFC Components Anti-virus management File Integrity Monitoring Network Security Access controls AFC PCI Project Scope: The PCI Project scope was to implement Hardware, Software Modifications and Security Policies to ensure our Breeze system is compliant with PCI DSS version 2.0 regulation. Our implementation upgraded the Central System…read sub bullets, enhance the Database security..read sub bullets, upgraded the TVM and TOM hardware, added remote monitoring capabilities and increased Network Security.

AFC PCI Project Team MARTA AFC Team Project Oversight Remediation tasks Application Support Network & Server Support Enterprise Security Qualified Security Assessor (QSA) Assessment Gap Analysis Compliance Roadmap Report of Compliance Merchant Bank Manage PCI mandates on behalf of VISA, MasterCard, American Express, Discover Fare Collection Vendor Software development Hardware upgrades PCI DSS certification of payment applications software PCI Project Team: The team comprised of the MARTA AFC Team, QSA, Merchant Bank and our Fare Collection vendor. Each entity played an important role in the success of the project. The QSA Performed an Assessment to identify areas of non compliance, they provided a GAP analysis which we used as the Roadmap or Strategy for Remediation, after Remediation was complete they provided the Report of Compliance to the Merchant Bank The AFC Team Responsible for completing the tasks in the Roadmap of Strategy for Remediation The Merchant Bank Responsible for managing our Level 2 compliance expectations and communicating our project progress to the Card Organizations The Fare Collection Vendor Responsible for the software development of the Payment Application and upgrades to the TVM and TOMs

AFC PCI Project Timeline 2008 - MARTA is deemed as a Level 2 Merchant - Completed the PCI Data Security Standard Self-Assessment Questionnaire (SAQ) and quarterly scan results. 2009 - MARTA began the partnership with BOA and Fare Collection vendor to complete PCI requirements. 2010 - GAP Analysis completed by QSA - Attestation of Compliance sent to Merchant Bank - QSA provided Remediation Roadmap 2011 – MARTA issues Notice to Proceed to Fare Collection vendor to begin software development - AFC system PCI Migration begins 2012 - AFC system PCI Migration completed - Attestation of Compliance completed - PCI Compliance obtained from Merchant Bank PCI Project Timeline: 2008 MARTA received notification from its Merchant Bank stating our Merchant Status had been updated to a Level 2 2009 MARTA initiated the efforts to start the PCI Remediation project steps. We involved the Merchant Bank and the Fare Collection vendor to discuss options for upgrading the existing system. 2010 MARTA engaged a QSA to assist in performing an assessment of the environment and providing a remediation plan for PCI compliance. We worked with the project team entities to ensure all areas of responsibility could be addressed in the upgrade. 2011 MARTA officially began the upgrade efforts for the existing Breeze system 2012 MARTA completed the PCI upgrade project and received the Certificate of Compliance from the Merchant Bank

PCI Project Migration – Phase 1 AFC Network Access Control Build secure data network Segment AFC Traffic from the Enterprise Network traffic Develop Information Security Team Develop Information Security Policies PCI Migration – Phase 1 Started in 2011 Focus was on the Network Access Control Goal was to provide a secure network for all AFC credit/debit transaction traffic and to eliminate unnecessary access to the network Some activities: Firewall rule clean up, Access Lists on Switches, VLAN configuration

Phase 1: Network Access Control TOM Load Balancer Non PCI Compliant System Web BVM Devices Settlement Merchant Bank Old Database AFC Network Enterprise Network Internet VLAN Restricted Rule Base VLAN PCI Migration – Phase 1 Discuss diagram

PCI Project Migration – Phase 2 Central System Upgrade Upgrade Servers (Production, Stand by, DR, and QA) Migrate Central System software Migrate Database Migrate Web Ticketing PCI Migration – Phase 2 Focus was on the Central System Upgrade Goal was to .. Some activities: ..

Phase 2: Central System Upgrade TOM TOM BVM TOM BVM BVM Web Devices Load Balancer Merchant Bank Merchant Bank Non PCI Compliant System PCI Compliant System Old Database Upgraded Database Settlement Settlement Production Stand-By DR QA Server Farm

PCI Project Migration – Phase 3 Payment Processing Device Upgrade Replace TOM Hardware & Software including 3DES Pin Pad Replace TVM Hardware & Software including 3DES Pin Pad Deploy Anti-Virus software and File Integrity Monitoring process to all components Migrate TOM and TVM PCI Migration – Phase 3 Focus was on the Device Upgrade Goal was to .. Some activities: ..

Phase 3: Device Upgrade Load Balancer Non PCI PCI Compliant Compliant TOM Load Balancer Non PCI Compliant System Web BVM Devices Settlement Merchant Bank Old Database PCI Compliant System Upgraded Database Settlement

Phase 3: Device Upgrade Complete TOM Load Balancer Non PCI Compliant System Web BVM Devices Settlement Old Database Merchant Bank Not Active PCI Compliant System Upgraded Database Settlement

PCI Project Migration – Compliant Final Report of Compliance to Merchant Bank Review of Remediation Roadmap tasks QSA Assessment of GAPS QSA Vulnerability Scan Report of Compliance Attestation of Compliance PCI DSS v2.0 Certificate of Compliance from Merchant Bank PCI Migration – Complete Focus was on the QSA assessment Goal was to .. Some activities: ..

Thank You