The Challenge
For a rail franchise, card payments usually come through one of four routes:
• Online ticket sales
• Automated station ticket machines
• Station ticket counters
• On-train ticket and refreshment sales
This particular rail network had outsourced its online sales to a certified provider, but this still left the remaining payment channels, each of which needed to communicate across the organisation’s IT network, including multiple stations.
Unfortunately, investigation by Daisy* QSAs showed that there was significant payment card industry data security standards (PCI DSS) non-compliance within the payment card systems, and significant security vulnerabilities. As these were supplied as part of long-standing third party management contracts, making these compliant and secure was going to be difficult and time consuming, leaving a significant risk of a serious breach.
The UK rail model requires each rail franchise to be run as a separate entity that can be handed over to the next franchise owner. This means that most IT departments are limited in size and security expertise, and don’t have the staffing to meet 24/7/365 security monitoring requirements of the PCI DSS.
The Solution
This solution involved managing perimeter security devices, including firewalls, an Intrusion Detection System (IDS), and log collection, together with network switch management. Each device was built, and fully documented, to the PCI DSS requirements, and ongoing management processes aligned to the standard. This allowed the customer to increase their overall compliance level, prevent a serious data breach, and demonstrate compliance progress to their bank.
Each component was then monitored and managed by the Daisy global 24/7/365 Security Operations Centres. These currently operate from the UK and Australia, giving ‘follow the sun’ hands and eyes support.
The Result
• Non-compliant, insecure payment systems isolated and protected
• 24/7/365 SOC monitoring and incident response
• Added peace of mind and credibility as the service is delivered and managed by a PCI Level-1 Certified Service Provider
