11. Payment Card Industry Audit Report

Information Technology Audit 
Payment Card Industry (PCI) QSA Review Results 
Self-Assessment Questionnaire D  signed July 30, 2020 
Issue Date: August 14, 2020 
Report No. 2020-12 


Payment Card Industry (PCI) QSA Review Results 

Executive Summary 
The Payment Card Industry (PCI), through banking and card-brand agreements, requires merchants
like the Port of Seattle, to complete an annual Self-Assessment Questionnaire (SAQ) to verify to the
Port's merchant bank (acquirer), that the Port's security controls over credit card data processing meet
the PCI requirements. The PCI Standards Council cybersecurity requirements are periodically updated
and are prescriptive in nature. The PCI Data Security Standard (DSS) Self-Assessment Questionnaire
(SAQ) D, which the Port is required to comply with, contains over 250 specific security questions. 
The PCI assessment was performed for the reporting year 2020, by an external party, MegaplanIT,
L.L.C., with the assistance of Information & Communication Technology, Information Security, and
Aviation Maintenance. In order to complete their assessment, MegaplanIT used the PCI DSS SAQ D,
and the Attestation of Compliance for Merchants. This firm has performed the assessment for the last
three years; however, Internal Audit will perform the assessment for the 2021 reporting year. 
The 2020 review was completed and signed by Dan Thomas, Chief Financial Officer, on July 30, 2020 
and was noted to be "Compliant: All sections of the PCI DSS SAQ are complete, all questions answered
affirmatively, resulting in an overall COMPLIANT rating; thereby Port of Seattle has demonstrated full
compliance with the PCI DSS." 
The Port has been performing PCI reviews for over 10 years and this is the first year the Port has 
obtained a compliant result. Previous non-compliant years had seen a steady reduction in identified

Glenn Fernandes, CPA 
Director, Internal Audit 

Responsible Management Team 
Dan Thomas, Chief Financial Officer 
Matt Breed, Chief Information Officer 
Ron Jimerson, Director of Information Security 
Stephanie Warren, Manager of Information Security 


Limitations of Translatable Documents

PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.