8. Attachment

PCI QSA Audit Report


Information Technology Audit 
Payment Card Industry (PCI) QSA Assessment Results 
Self-Assessment Questionnaire 
Issue Date: March 13, 2024 
Report No. 2024-03 
This report is a matter of public record, and its distribution is not limited. Additionally, in accordance with
the Americans with Disabilities Act, this document is available in alternative formats on our website. 


          Payment Card Industry (PCI) QSA Assessment Results 
Executive Summary 
The Payment Card Industry (PCI), through banking and card-brand agreements, requires merchants
like the Port of Seattle (Port), to complete an annual Self-Assessment Questionnaire (SAQ). The SAQ
is in essence an audit performed to verify to the Port’s acquirer (merchant bank), that the Port’s security
controls over credit card data processing, meet the PCI requirements. The PCI Standards Council
cybersecurity requirements are reflected in the SAQ. They are periodically updated and are prescriptive 
in nature. 
The 2023 PCI assessment was completed on December 14, 2023, by Secured Net Solutions Inc., an
external party, and a Qualified Security Assessor (QSA). The work was performed to assure the Port’s
compliance with the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1. 
Organizations that store, process, or transmit credit card data must comply with the relevant PCI DSS
requirements, and compliance must be attested on an annual basis. 
The Port accepts credit card payments for taxi driver usage fees, moorage services at its marina
facilities, and parking at the Seattle-Tacoma International Airport. The assessment focused on the Port’s
critical systems, including web and application servers, workstation kiosks, transmission of cardholder
data out to the payment processors, and the Parking Revenue Control System, including Point of Sale 
swipe devices and network devices. 
The Port received an overall COMPLIANT rating, demonstrating full compliance with the PCI DSS. 

The following SAQs and AOC’s (Attestation of Compliance) were completed by the Port’s QSA: 
 Self-Assessment Questionnaire (SAQ) A – Taxi Management System 
 Self-Assessment Questionnaire (SAQ) - P2PE (Point to Point Encryption) – PRCS (Parking
Revenue Control System) 
 Self-Assessment Questionnaire (SAQ) - P2PE – MVMS (Marina Vessel Management System) 
 Attestation  of  Compliance  (AOC)  for  Self-Assessment  Questionnaire  (SAQ)  A  –  Taxi
Management System 
 Attestation of Compliance (AOC) for Self-Assessment Questionnaire P2PE – PRCS 
 Attestation of Compliance (AOC) for Self-Assessment Questionnaire P2PE – MVMS 

Glenn Fernandes, CPA 
Director, Internal Audit 

Responsible Management Team 
Dan Thomas, Chief Financial Officer 
Matt Breed, Chief Information Officer 
Ron Jimerson, Chief Information Security Officer 



Limitations of Translatable Documents

PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.