Case Study: PCI Compliance at the Nashville Airport
The Metropolitan Nashville Airport Authority (MNAA) is responsible for the planning, construction, operation, and management of Nashville International and John C. Tune Airports. The entity also assures the promotion, encouragement, and development of commerce and industry through air transportation.
The Authority works hand-in-hand with business and community leaders along with local, state, and federal government agencies to achieve objectives on behalf of the region it serves. MNAA is governed by a 10-member Board of Commissioners appointed by the mayor of Nashville/Davidson County, and confirmed by the Metropolitan Council.
MNAA’s President and CEO is responsible for day-to-day operations and planning for all MNAA facilities. The President reports directly to the board and heads an extensive team of professionals.
A significant portion of income received is through credit card transactions for airport parking services, making PCI Compliance a key requirement for MNAA.
Having identified gap areas in PCI compliance, MNAA asked CompliancePoint to assist them with remediation of those areas. This engagement involved all areas of Governance, Operations, and Technologies. CompliancePoint deployed a team to work with MNAA on developing and documenting their Policies and Procedures to comply with PCI governance standards. Technology reviews were performed on Network segmentation and Access Controls as well as security solutions currently in use.
The team identified and remediated issues with protecting PCI systems and servers. Some of the major areas addressed included the introduction of SIEM logging, vulnerability management and asset inventory solution, Privileged Account Management solution, as well as updating endpoint protection. Systems were eliminated if they were not useful or utilized in the environment, which resulted in better work efficiency and freed up capital to invest in those areas of need. Network segmentation and access controls for the PCI zones were redefined to isolate those VLANs from other enterprise VLANs. The team also redefined domain admin privileged user (IT staff and Vendors) network accounts to standard user accounts and utilized a PAM tool to elevate their privileges when needed.
“CompliancePoint has been a valuable resource in our security journey. They have provided expert guidance and helped us achieve significant improvements in our overall security posture, adding to our success.”
President and CEO of MNAA
“We couldn’t have asked for a better partner to assist us with PCI Compliance. This achievement was a top priority for us, and the path was finally navigated thanks to CompliancePoint.”
MNAA Assistant VP of Information Technology
Results and Benefits
The remediation project was focused primarily on the PCI environment with an eye on enterprise security as well. After a year of remediation, MNAA was able to attain their PCI Report on Compliance. The remediation project introduced processes and technologies that have significantly increased the security maturity of MNAA IT operations which is benefiting the entire enterprise. MNAA has and continues to make investments in these key security areas as well as in personnel and services.
Our Approach to Solving PCI Challenges
Our Qualified Security Assessors (QSA’s) evaluate your organization and provide you with detailed guidance on any areas requiring remediation before you begin your PCI assessment.
Our experts will work with you to implement the necessary policies, business processes and technology to prepare you for a successful PCI certification.
Attestation and Program Management
We will demonstrate your commitment to cardholder data security by working with you to present a well-documented validated assessment to PCI DSS.
Once PCI Certified, our PCI DSS Management Program ensures you’re prepared to maintain your certification for years to come.
Get our guide to Getting Started with the PCI DSS
Our overview and checklist will simplify your job of demonstrating compliance with the PCI DSS
Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.