MTS Compass Card Was Insecure From The Beginning
Documents shed light on SANDAG’s early role in lax data security
Wednesday, April 13, 2016
A KPBS investigation into data security shortcomings at the Metropolitan Transit System has put pressure on the organization to fix the problem. But the issue did not start with MTS — it started with SANDAG.
Substandard data security and the outdated payment methods of San Diego’s Compass Card have resulted in scrutiny of the Metropolitan Transit System, the county’s largest public transit operator. But the data security problem dates to the last decade when the Compass Card system was first rolled out by the region’s transportation planning agency, the San Diego Association of Governments.
Public records obtained by KPBS show the Compass Card system was out of compliance with the Payment Card Industry Data Security Standards — called PCI DSS — when the cards began being used in 2009.
Seven years later, the system still fails to comply with the PCI standards, creating a greater risk that any of the 1.3 million credit and debit card transactions MTS accepts per year could result in transit riders’ information being stolen. Taxpayers could also be liable to pay the costs of any resulting credit card fraud.
Ray Traynor, SANDAG director of operations, said the regional agency was unaware of the existence of the data security standards until it was approached by its credit card payment processor in late 2008. The standards were devised by credit card companies in 2004 to combat growing credit card fraud, and include things like maintaining firewalls and encrypting cardholder data.
SANDAG 2010 PCI Gap Analysis
A 2010 report by data security firm Tevora details the security gaps in the Compass Card system.
To view PDF files, download Acrobat Reader.
The payment processor asked SANDAG to determine where the Compass Card system was compliant with the standards. SANDAG then hired the data security firm Tevora to conduct a “gap analysis” to identify the areas in which it was most vulnerable. That analysis, which cost $25,850 and was completed in March 2010, listed eight critical areas in need of attention, including the system’s storage of cardholder data and its inability to detect intrusions.
Traynor said SANDAG then took steps to strengthen defenses in the most vulnerable areas of the Compass Card system. Asked why it took more than a year to hire Tevora, Traynor said SANDAG staffers first had to educate themselves on the data security standards, then go through the many checks and controls on spending taxpayer money before approving a contract. He could not say with certainty whether the Compass Card system had ever been compliant with the data security standards.
What went wrong
There are several explanations for the Compass Card’s enduring lack of PCI compliance, and perhaps the most significant is money. SANDAG appears to have greatly underestimated the full cost of having a functional, user-friendly and secure Compass Card.
MTS and SANDAG said estimates for achieving full compliance are around $7 million, and that expenditure would not provide any new functionality to the Compass Card, such as providing stored value for transit customers. Traynor said that expense gave SANDAG staffers pause, given they had just spent $40 million on the initial Compass Card rollout and public agencies were still suffering under the Great Recession.
“They had just completed this substantial system deployment, and then were confronted with the fact that they would have to spend more taxpayer money to try to remedy a system because of this new standard that had been introduced,” Traynor said.
A second reason is that responsibility for the Compass Card has shifted among three agencies. It was the now-defunct Metropolitan Transit Development Board that initiated the Compass Card program in the early 2000s. Then, in 2003, statewide legislation effectively dissolved that transit board, and the Compass Card program was transferred to SANDAG.
SANDAG began accepting credit cards at ticket machines in 2005, and it issued the first Compass Cards in 2009. In July 2014, the system was transferred to MTS, which commissioned a second report on the system’s data security. It was again found to be falling short of the industry’s standards.
That became an issue when MTS sought to change the bank it uses to process credit card transactions from Bank of America to JPMorgan Chase. An email sent on Oct. 2, 2014, from Brittany Petersen, then the MTS fare systems consultant, asked a SANDAG employee about the past steps taken to strengthen data security.
MTS intended to prove to JPMorgan Chase that the transit system was making progress toward PCI compliance. The new banking relationship never materialized.
Raising the bar
A third reason for the Compass Card’s persistent data security problems is that the industry standards are updated every two years, and compliance is constantly becoming more costly and burdensome.
It is not uncommon for merchants to fall out of compliance as those updates occur. But Patrick Townsend of Townsend Security said it would be surprising if a system were out of compliance for seven years — the length of time Compass Cards have been in circulation.
“Anyone who takes credit cards from that period of time onward should have been dealing with compliant systems. There’s no question about that,” said Townsend, an expert in data security based in Olympia, Wash.
Traynor said at no time during SANDAG’s stewardship of the Compass Card did any data breaches occur that resulted in cardholder data being stolen. But he acknowledged that in 2010 the system lacked “intrusion detection” software that would have made SANDAG aware of any breaches. Indeed, even merchants who are PCI compliant are often unaware their systems have already been infected with malware.
“I don’t know that anybody could sit and look you straight in the eye and say with 100 percent certainty that every system is 100 percent protected,” Traynor said. “But from all the information and the evidence that we have, there’s never been an exposure — not during SANDAG’s stewardship of the program.”
Compliance on the horizon?
MTS said it has spent about $700,000 assessing and mitigating the risks of a data breach, but that the Compass Card system is still not compliant with international data security standards. MTS does not have an immediate plan to become compliant.
Rather, MTS is focusing on planning for its “next generation” of fare collection, which it says will be much more user friendly, convenient and compliant with the data security standards. It has not given itself a deadline for starting the new system, but its placement on MTS’s annual list of capital improvement projects suggests it could be complete in about three years.
The list of capital improvement projects was approved by the MTS board at its meeting last month. It budgets $20 million for upgrading the fare collection system, to be spent between July 2017 and June 2019. MTS hopes to get half the funding from a state grant program designed to modernize California’s rail transit systems and reduce greenhouse gases.
In the interim, MTS is planning to hire Portland-based GlobeSherpa to develop a new mobile phone ticketing app. Approval for the contract worth about $842,000 will go before the MTS board on Thursday, when staffers will also give a presentation on the Compass Card’s lack of stored value — something promised when the card was introduced but is still not offered to transit customers.
To view PDF documents, Download Acrobat Reader.