Local, investigative journalism delivered straight to your inbox.
For years, San Diego public transit riders have been able to use credit and debit cards to purchase daily and monthly passes on their Compass Cards. Yet each transaction, whether at a ticket machine or online, may be putting the passenger’s credit card information at risk of being stolen.
San Diego’s Metropolitan Transit System has admitted its Compass Card fare collection system is not in compliance with the Payment Card Industry Data Security Standards (PCI DSS), a set of rules and best practices developed by credit card companies to prevent fraud.
The standards include encrypting cardholder data, maintaining firewalls and regularly testing security systems. Compliance is supposed to be a minimum requirement of any merchant who wants to offer customers the convenience of paying with a credit or debit card.
The Compass Card is a smart-chip card useable for daily, multi-day or monthly passes, but not for single rides. It was developed by San Diego-based Cubic Corp. in the mid-2000s, and was operated by the San Diego Association of Governments (SANDAG), the county transportation planning agency, until July 2014. That’s when MTS took it over.
MTS spokesman Rob Schupp said the transit agency had an inkling the system needed security upgrades before July 2014, but only later did agency officials become fully aware of the problem.
Schupp said MTS did not deliberately conceal its lack of PCI compliance from the public. Asked whether Compass Card users should be concerned that their personal information could be hacked through MTS, Schupp said, “I believe people should be wary whenever they’re using a credit card, wherever they’re using it.”
Deadlines for compliance
To address its data security issues, MTS turned to AppliedTrust, a data security firm based in Boulder, Colo., that had already been working with MTS under the umbrella of cyber security. A contract addendum, obtained via a Public Records Act request, details the company’s task of identifying data security gaps and making recommendations on how to close them.
MTS would not release the AppliedTrust report describing its security shortcomings, saying the public interest in disclosing the report was outweighed by the risk of exposing the system’s vulnerabilities to potential hackers.
“There’s a lot of work to do,” Schupp said, referring to AppliedTrust’s assessment. “We’re really working hard to minimize all the risks.”
Part of that work has been spending more than $700,000 “to improve and provide redundancy for firewalls, servers and payment gateways as well as to conduct the assessment studies and purchase software,” Schupp said. Those measures, which would be complete in July, would reduce the risk of a breach. However, Schupp said the cost of full PCI compliance was estimated to be at least $7 million and would take “a couple of years.” MTS officials are meeting with Cubic Corp. this week to determine if there is a less costly route to achieving compliance.
MTS could not provide an estimate for how long it would remain out of PCI compliance.
John Kronick, a regional vice president at Coalfire, a firm that helps companies meet the data security standards, said banks and credit card companies have shown little patience for merchants staying out of compliance for more than a year.
“We’ve seen companies put their foot down on executives in the company who are responsible for PCI,” he said. “Where they couldn’t get it done, they say, ‘Well, if you don’t have this compliant by X date, your job is on the line.’ And that has helped to move things along.”
Five major credit card companies — Visa, MasterCard, American Express, Discover and JCB — developed PCI DSS in 2004, unifying their individual security standards into one that applied industry-wide. The standards are not law, and failing to live up to them is not a crime, though non-compliance can open up liabilities.
When credit card information is stolen and the breach results in fraudulent charges, the merchant that was the victim of the hack often has to cover those costs. Target reported last December it had spent $290 million related to its major breach in 2013, including more than $100 million in settlements with banks and customers.
If MTS’s inadequate data security led to a breach, it could be forced to pay similar settlements. If it remains non-compliant for years, MTS also risks fines from the bank that processes its transactions. Since MTS is a public entity, those costs would ultimately be shouldered by taxpayers and fare-paying transit riders.
“There’s no excuse for being PCI non-compliant,” Kronick said. “If you fail to be PCI compliant and you have a breach, it’s clearly negligence on the company’s part.”
Big-box retailers, notably Target and Home Depot, have previously been the victims of cybercriminals because of their high volume of credit card transactions. But as those retailers have improved security in the wake of major breaches, cybercriminals have shifted their focus to smaller merchants, according to Patrick Townsend, CEO of data security firm Townsend Security.
“(Cybercriminals) just want to go where the money is and where it’s easier to break in,” he said. “Mid-sized organizations… are increasingly targeted because they’re not doing security as well. They’re a little bit easier to attack.”
Board members unaware
Schupp said MTS’s lack of PCI compliance had not yet gone before the transit agency’s board of directors, made up of elected officials across San Diego County.
MTS’s board policy states that the CEO can enter into contracts worth up to $100,000 at his own discretion. Agreements in excess of $100,000 require approval from the board’s 15 members.
The original contract with AppliedTrust was valued at $60,000. The July 2014 amendment expanding the firm’s scope of work increased the value to $95,000.
San Diego City Councilmen Todd Gloria and David Alvarez, both of whom are current board members and who sat on the board in 2014, said they were unaware MTS was not compliant with the credit card security standards and could not recall the issue ever being discussed on the board. Alvarez said he would request more information from MTS staff.
Colin Parent, policy counsel at the transit advocacy organization Circulate San Diego, said MTS should not be saying it’s too expensive to protect their customer’s data security.
“MTS has an obligation to protect their customer data to the ordinary level of the industry,” Parent said. “If it requires them to do a more comprehensive upgrade to their payment system, they should do that. And in fact, that is overdue.”