Situation
NCC Group was appointed by Transport for London (TfL) to ensure that all elements of its contactless payment technology system operated within the scope of the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS provides an actionable framework for developing a robust payment card data security process, including prevention, detection, and appropriate reaction to security incidents. As an Approved Scanning Vendor (ASV) and with a team of Qualified Security Assessors (QSAs).
NCC Group has a wealth of experience in helping organizations achieve PCI compliance. Its “one-stop shop” set of PCI DSS compliance services, including QSA advisory, audit, ASV scanning, and penetration testing, is specifically aimed at assisting organizations to quickly achieve and then crucially maintain compliance.
At a Glance
Organization: Transport for London
Industry: Transportation
Challenge: To provide TfL with the cyber assurance and PCI DSS compliance necessary to roll out its contactless payment project across various methods of public transportation.
Solution: NCC Group worked with TfL and their supplier to develop a suitable framework that would satisfy the requirements and provide a point-to-point encryption (P2PE) standard.
Result: NCC Group's services helped assess potential security vulnerabilities and provided peace of mind for TfL's contactless payment project.
Challenge
At that time, there wasn’t a point-to-point encryption (P2PE) standard, so NCC Group worked with TfL and their supplier to develop a suitable framework that would satisfy the requirements of the card schemes and would provide a meaningful standard against which compliance could be measured.
The compliance framework eventually became the Pin Transaction Security (PTS) v 3.1 standards for the device itself, Point to Point Encryption standard v 1.1 for the transmission of data from the device to the data center, and PCI DSS standard v 2.0 for the data center itself. Using this compliance framework, NCC Group then undertook a series of "gap analysis" exercises on the data center, the P2PE solution, and the various environments in which the devices would operate and be stored.
Solution
During the remediation program that followed, NCC Group provided a considerable amount of advice and guidance on how to implement the various aspects of the solution. Once through the remediation program, NCC Group undertook a PCI DSS assessment and P2PE assessment on the overall solution, as well as undertaking a penetration test on the device itself. The outcomes of the assessments were presented to the card schemes and were subsequently given a green light for the project.
Result
TfL initially launched the contactless payment scheme on buses and is in the process of rolling it out to passengers travelling via the Tube, tram, London Overground, DLR, and most National Rail services in London. The bus launch went live in December 2012, and TfL was commended for its approach to security, with its credit card acquirer describing it as “exemplary”.
NCC Group acted as an independent, trusted advisor and assessed the potential security vulnerabilities of the solution to give us peace of mind that the security was sound.” Following the initial bus launch, NCC Group is continuing to work on the full implementation across the remaining transport methods.
"NCC Group acted as an independent, trusted advisor and assessed the potential security vulnerabilities of the solution to give us peace of mind that the security was sound."
Get Started on Your Cyber Security Journey
Our experts are ready to help you stay ahead in a constantly changing threat landscape. Contact us today to learn more about what NCC Group can do for your organization's unique cybersecurity needs.