In 2015, the Chicago Department of Aviation (CDA), the entity responsible for the management of Chicago’s Airport System, sought to automate the payment process for Midway International Airport’s Daily Parking Lot. By 2014 the CDA had already automated the payment processes for the parking garages and lots within O’Hare International Airport and was ready to follow suit with Midway. By implementing automatic payment systems for all of the parking garages and lots within Chicago’s Airport System, the CDA would lower overall labor costs, modernize the airports, and ensure ease of travel for its passengers.
Since 2006, the Payment Card Industry Security Standards Council (PCI SSC) has set requirements and security standards for organizations that handle credit card payments from major card schemes. These standards, known as the Payment Card Industry Data Security Standard (PCI DSS), must be met by every organization that accepts, transmits or stores any cardholder data, regardless of size or number of transactions. Furthermore, annual audits are performed on an organization’s payment systems to ensure they are continually adhering to the PCI DSS. In November of 2015, the environment that Midway’s automated payment system was being built on was found to be non-compliant, and the project was put on hold. To help get the system’s environment PCI compliant so the project could continue, the CDA reached out to Catalyst for assistance.
Catalyst’s infrastructure lead performed an assessment on the environment and located all of the areas that were not in line with the PCI DSS. Through the assessment, Catalyst found that the third-party vendor implementing the system had installed the payment application, authentication services, logging services, and antivirus software onto one system. For the environment to be PCI compliant, these applications and services systems must be separate from one another. To fix the issue, Catalyst worked with the vendor to virtualize the environment and implemented multiple virtual machines (VMs) to ensure each function resided on a separate server.
With the VMs in place, Catalyst worked with the City of Chicago Department of Innovation and Technology (DoIT) to perform vulnerability scans on each of the systems and found many security issues preventing PCI compliance. To help the vendor patch the system, Catalyst provided a detailed report on each issue along with recommendations on how to fix them in order to get the system PCI compliant. The Catalyst team worked alongside the vendor to implement the recommendations and in March of 2016 the automated payment system for Midway’s parking garages and lots was PCI compliant. As a result of Catalyst’s success with Midway’s system, the CDA requested the team run an assessment on O’Hare’s environment prior to the 2016 PCI audit. Through the assessment, Catalyst discovered many issues within the environment: the system was missing a centrally-managed anti-virus system as well as a separate logging and file integration system. Furthermore, the virtual private network (VPN) being utilized by the vendor to access the environment was not using multi-factor authentication. All three of these factors were in direct violation of the PCI DSS and caused O’Hare’s environment to be non-compliant.
To ensure the CDA passed the audit in December, the team implemented new servers for the two systems. A combination of radius server and duo security was set up to ensure multi-factor VPN authentication to the CDA’s PCI environment. Once the environment was ready, the Catalyst team drafted documentation and procedures to ensure the vendor was able to maintain compliance. As a result of Catalyst’s efforts, to date O’Hare’s PCI environment is fully compliant and passed the PCI audit. The team continues to work with the CDA and its vendors to ensure both environments maintain their PCI compliance.
Impact & Results
In 2016, O’Hare’s parking garages and lots combined completed 3.7 million transactions for an average of 308,000 per month.
On average, Chicago’s Airport System experiences approximately 10 million passengers per month.