Transport Provider Cyber Security Solution

The Challenge

For a rail franchise, card payments usually come through one of four routes:

• Online ticket sales
• Automated station ticket machines
• Station ticket counters
• On-train ticket and refreshment sales

This particular rail network had outsourced its online sales to a certified provider, but this still left the remaining payment channels, each of which needed to communicate across the organisation’s IT network, including multiple stations.

Unfortunately, investigation by Daisy* QSAs showed that there was significant payment card industry data security standards (PCI DSS) non-compliance within the payment card systems, and significant security vulnerabilities. As these were supplied as part of long-standing third party management contracts, making these compliant and secure was going to be difficult and time consuming, leaving a significant risk of a serious breach.

The UK rail model requires each rail franchise to be run as a separate entity that can be handed over to the next franchise owner. This means that most IT departments are limited in size and security expertise, and don’t have the staffing to meet 24/7/365 security monitoring requirements of the PCI DSS.

The Solution

This solution involved managing perimeter security devices, including firewalls, an Intrusion Detection System (IDS), and log collection, together with network switch management. Each device was built, and fully documented, to the PCI DSS requirements, and ongoing management processes aligned to the standard. This allowed the customer to increase their overall compliance level, prevent a serious data breach, and demonstrate compliance progress to their bank.

Each component was then monitored and managed by the Daisy global 24/7/365 Security Operations Centres. These currently operate from the UK and Australia, giving ‘follow the sun’ hands and eyes support.

The Result

• Non-compliant, insecure payment systems isolated and protected

• 24/7/365 SOC monitoring and incident response

• Added peace of mind and credibility as the service is delivered and managed by a PCI Level-1 Certified Service Provider

View as PDF


  • Sector: Transport
  • Services Taken: Managed payment card industry data security standards (PCI DSS), 24/7/365 SOC monitoring, Incident Response

Talk to one of our specialists.
Call us on
0344 863 3000