8. Attachment
PCI QSA Audit Report
INTERNAL AUDIT REPORT Information Technology Audit Payment Card Industry (PCI) QSA Assessment Results Self-Assessment Questionnaire Issue Date: March 13, 2024 Report No. 2024-03 This report is a matter of public record, and its distribution is not limited. Additionally, in accordance with the Americans with Disabilities Act, this document is available in alternative formats on our website. INTERNAL AUDIT Payment Card Industry (PCI) QSA Assessment Results Executive Summary The Payment Card Industry (PCI), through banking and card-brand agreements, requires merchants like the Port of Seattle (Port), to complete an annual Self-Assessment Questionnaire (SAQ). The SAQ is in essence an audit performed to verify to the Port’s acquirer (merchant bank), that the Port’s security controls over credit card data processing, meet the PCI requirements. The PCI Standards Council cybersecurity requirements are reflected in the SAQ. They are periodically updated and are prescriptive in nature. The 2023 PCI assessment was completed on December 14, 2023, by Secured Net Solutions Inc., an external party, and a Qualified Security Assessor (QSA). The work was performed to assure the Port’s compliance with the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1. Organizations that store, process, or transmit credit card data must comply with the relevant PCI DSS requirements, and compliance must be attested on an annual basis. The Port accepts credit card payments for taxi driver usage fees, moorage services at its marina facilities, and parking at the Seattle-Tacoma International Airport. The assessment focused on the Port’s critical systems, including web and application servers, workstation kiosks, transmission of cardholder data out to the payment processors, and the Parking Revenue Control System, including Point of Sale swipe devices and network devices. The Port received an overall COMPLIANT rating, demonstrating full compliance with the PCI DSS. The following SAQs and AOC’s (Attestation of Compliance) were completed by the Port’s QSA: Self-Assessment Questionnaire (SAQ) A – Taxi Management System Self-Assessment Questionnaire (SAQ) - P2PE (Point to Point Encryption) – PRCS (Parking Revenue Control System) Self-Assessment Questionnaire (SAQ) - P2PE – MVMS (Marina Vessel Management System) Attestation of Compliance (AOC) for Self-Assessment Questionnaire (SAQ) A – Taxi Management System Attestation of Compliance (AOC) for Self-Assessment Questionnaire P2PE – PRCS Attestation of Compliance (AOC) for Self-Assessment Questionnaire P2PE – MVMS Glenn Fernandes, CPA Director, Internal Audit Responsible Management Team Dan Thomas, Chief Financial Officer Matt Breed, Chief Information Officer Ron Jimerson, Chief Information Security Officer 2
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.