Purpose

To determine whether the Thruway Authority (Authority) complies with Payment Card Industry Data Security Standards. Our audit scope covers the period March 1, 2017 through June 5, 2017.

Background

The Authority operates and maintains a toll superhighway (Thruway) throughout New York. Most of the toll points along the Thruway only accept cash and E-ZPass charges as toll payment. All Thruway E-ZPass customers have prepaid accounts, from which tolls are electronically deducted when the vehicle passes through toll points. Most E-ZPass accounts are automatically replenished with the customer’s credit card on file. The Authority also accepts in-person credit card payments for E-ZPass tags at its administrative headquarters in Albany and at its Nyack and Tarrytown offices. In addition, the Authority accepts credit card payments over the phone, online, and in person for other costs (e.g., unpaid tolls, accident reports, oversized truck permits, commercial accounts). All organizations that accept credit cards as a method of payment must comply with the Data Security Standards (DSS) established by the Payment Card Industry (PCI) Security Standards Council. The PCI DSS is a comprehensive set of technical and operational requirements addressing security management, information security policies and procedures, and other critical protective measures associated with credit card data – intended to help an organization proactively protect customer credit card data that is either stored, processed, or transmitted through its network. The requirements necessitate that all system components included in, or connected to, the Cardholder Data Environment (CDE) – that is, the people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data – are accounted for and comply with respective requirements. From May 1, 2015 through April 30, 2016, Authority reports indicated it directly processed approximately 66,000 credit card transactions totaling more than $1.4 million.

Key Findings

• Based on our review of select operational and technical security controls over the protection of cardholder data, we identified several matters that management should address to improve the Authority’s information security program for cardholder data and to help ensure it meets PCI requirements.
• The Authority has not taken fundamental steps to secure its network. For example, it had neither classified its data, nor accounted for all of its systems that process or store credit card information. In addition, it had not performed a risk assessment covering its CDE. Unless the Authority performs these key information security program tasks, it will be significantly inhibited in its efforts to meet PCI DSS and State information security standards.
• The Authority could also improve certain other technical safeguards over the cardholder data it processes.

Key Recommendations

• Develop strategies to enhance compliance with PCI DSS.
• Implement the recommendations detailed during the audit, but not addressed in this report due to confidentiality reasons, for strengthening technical controls over cardholder data.

Other Related Audits/Reports of Interest

State University of New York: Compliance With Payment Card Industry Standards (2015-S-65)
Central New York Regional Transportation Authority: Compliance With Payment Card Industry Standards (2016-S-31)