Case Study: PCI Compliance at the Nashville Airport

About MNAA

The Metropolitan Nashville Airport Authority (MNAA) is responsible for the planning, construction, operation, and management of Nashville International and John C. Tune Airports. The entity also assures the promotion, encouragement, and development of commerce and industry through air transportation.

The Authority works hand-in-hand with business and community leaders along with local, state, and federal government agencies to achieve objectives on behalf of the region it serves. MNAA is governed by a 10-member Board of Commissioners appointed by the mayor of Nashville/Davidson County, and confirmed by the Metropolitan Council.

MNAA’s President and CEO is responsible for day-to-day operations and planning for all MNAA facilities. The President reports directly to the board and heads an extensive team of professionals.

The Challenge

A significant portion of income received is through credit card transactions for airport parking services, making PCI Compliance a key requirement for MNAA.

The Approach

Having identified gap areas in PCI compliance, MNAA asked CompliancePoint to assist them with remediation of those areas. This engagement involved all areas of Governance, Operations, and Technologies. CompliancePoint deployed a team to work with MNAA on developing and documenting their Policies and Procedures to comply with PCI governance standards. Technology reviews were performed on Network segmentation and Access Controls as well as security solutions currently in use.

The team identified and remediated issues with protecting PCI systems and servers. Some of the major areas addressed included the introduction of SIEM logging, vulnerability management and asset inventory solution, Privileged Account Management solution, as well as updating endpoint protection. Systems were eliminated if they were not useful or utilized in the environment, which resulted in better work efficiency and freed up capital to invest in those areas of need. Network segmentation and access controls for the PCI zones were redefined to isolate those VLANs from other enterprise VLANs. The team also redefined domain admin privileged user (IT staff and Vendors) network accounts to standard user accounts and utilized a PAM tool to elevate their privileges when needed.

Results and Benefits

The remediation project was focused primarily on the PCI environment with an eye on enterprise security as well. After a year of remediation, MNAA was able to attain their PCI Report on Compliance. The remediation project introduced processes and technologies that have significantly increased the security maturity of MNAA IT operations which is benefiting the entire enterprise. MNAA has and continues to make investments in these key security areas as well as in personnel and services.