Compliance With Payment Card Industry Standards (Follow-Up)

Issued Date
September 27, 2019
Agency/Authority
New York State Thruway Authority

Objective

To determine the extent of implementation of the two recommendations included in our initial audit report, Compliance With Payment Card Industry Standards (Report 2017-S-11).

About the Program

The Thruway Authority (Authority) operates and maintains a toll superhighway (Thruway) throughout New York State. Most of the toll points along the Thruway only accept cash and E-ZPass charges as toll payment. All Thruway E-ZPass customers have prepaid accounts, from which tolls are electronically deducted when the vehicle passes through toll points. Most E-ZPass accounts are automatically replenished with the customer’s credit card on file, and the Authority contracts with a third-party vendor to manage E-ZPass accounts. The Authority directly handles in-person credit card payments for E-ZPass tags at its administrative headquarters in Albany and at an outreach center in Nyack, as well as at special events throughout the State. The Authority also accepts credit card payments over the phone, online, and in person for other costs (e.g., unpaid tolls, accident reports, commercial accounts).

All organizations that accept credit cards as a method of payment must comply with the Data Security Standards (DSS) established by the Payment Card Industry (PCI) Security Standards Council. The PCI DSS is a comprehensive set of technical and operational requirements designed to protect cardholder data.

Our initial audit report, issued on September 19, 2017, examined whether the Authority complied with PCI DSS. The audit covered the period March 1, 2017 through June 5, 2017. We found the Authority did not have a developed information security policy that addressed all the requirements in the PCI DSS, and the Authority could also improve certain other technical safeguards over the cardholder data it processes. As a result of the audit, the Authority took immediate actions to address the security over cardholder data. However, the Authority still needed to take additional steps to improve its overall information security program to ensure it met the PCI DSS. Our initial audit contained two recommendations to the Authority to develop strategies to enhance compliance with PCI DSS and implement recommendations made in a preliminary report and confidential draft report issued to the Authority.

Key Finding

  • Department officials have made significant progress in addressing the issues identified in our initial audit. Of the initial report's two recommendations, one has been implemented and one has been partially implemented.

Brian Reilly

State Government Accountability Contact Information:
Audit Director: Brian Reilly
Phone: (518) 474-3271; Email: [email protected]
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236