Skip to main content

MTS Compass Card Was Insecure From The Beginning

Documents shed light on SANDAG’s early role in lax data security

Photo caption: The Compass Card, a smart card used by San Diego's Metropolitan Transit System.

Photo by Katie Schoolov

The Compass Card, a smart card used by San Diego's Metropolitan Transit System.

A KPBS investigation into data security shortcomings at the Metropolitan Transit System has put pressure on the organization to fix the problem. But the issue did not start with MTS — it started with SANDAG.

Substandard data security and the outdated payment methods of San Diego’s Compass Card have resulted in scrutiny of the Metropolitan Transit System, the county’s largest public transit operator. But the data security problem dates to the last decade when the Compass Card system was first rolled out by the region’s transportation planning agency, the San Diego Association of Governments.

Public records obtained by KPBS show the Compass Card system was out of compliance with the Payment Card Industry Data Security Standards — called PCI DSS — when the cards began being used in 2009.

Seven years later, the system still fails to comply with the PCI standards, creating a greater risk that any of the 1.3 million credit and debit card transactions MTS accepts per year could result in transit riders’ information being stolen. Taxpayers could also be liable to pay the costs of any resulting credit card fraud.

Ray Traynor, SANDAG director of operations, said the regional agency was unaware of the existence of the data security standards until it was approached by its credit card payment processor in late 2008. The standards were devised by credit card companies in 2004 to combat growing credit card fraud, and include things like maintaining firewalls and encrypting cardholder data.

Document

SANDAG 2010 PCI Gap Analysis

SANDAG 2010 PCI Gap Analysis

A 2010 report by data security firm Tevora details the security gaps in the Compass Card system.

Download document

To view PDF files, download Acrobat Reader.

The payment processor asked SANDAG to determine where the Compass Card system was compliant with the standards. SANDAG then hired the data security firm Tevora to conduct a “gap analysis” to identify the areas in which it was most vulnerable. That analysis, which cost $25,850 and was completed in March 2010, listed eight critical areas in need of attention, including the system’s storage of cardholder data and its inability to detect intrusions.

Traynor said SANDAG then took steps to strengthen defenses in the most vulnerable areas of the Compass Card system. Asked why it took more than a year to hire Tevora, Traynor said SANDAG staffers first had to educate themselves on the data security standards, then go through the many checks and controls on spending taxpayer money before approving a contract. He could not say with certainty whether the Compass Card system had ever been compliant with the data security standards.

What went wrong

There are several explanations for the Compass Card’s enduring lack of PCI compliance, and perhaps the most significant is money. SANDAG appears to have greatly underestimated the full cost of having a functional, user-friendly and secure Compass Card.

MTS and SANDAG said estimates for achieving full compliance are around $7 million, and that expenditure would not provide any new functionality to the Compass Card, such as providing stored value for transit customers. Traynor said that expense gave SANDAG staffers pause, given they had just spent $40 million on the initial Compass Card rollout and public agencies were still suffering under the Great Recession.

“They had just completed this substantial system deployment, and then were confronted with the fact that they would have to spend more taxpayer money to try to remedy a system because of this new standard that had been introduced,” Traynor said.

A second reason is that responsibility for the Compass Card has shifted among three agencies. It was the now-defunct Metropolitan Transit Development Board that initiated the Compass Card program in the early 2000s. Then, in 2003, statewide legislation effectively dissolved that transit board, and the Compass Card program was transferred to SANDAG.

SANDAG began accepting credit cards at ticket machines in 2005, and it issued the first Compass Cards in 2009. In July 2014, the system was transferred to MTS, which commissioned a second report on the system’s data security. It was again found to be falling short of the industry’s standards.

That became an issue when MTS sought to change the bank it uses to process credit card transactions from Bank of America to JPMorgan Chase. An email sent on Oct. 2, 2014, from Brittany Petersen, then the MTS fare systems consultant, asked a SANDAG employee about the past steps taken to strengthen data security.

MTS intended to prove to JPMorgan Chase that the transit system was making progress toward PCI compliance. The new banking relationship never materialized.

Photo caption: A San Diego trolley pulls out of the downtown stop at 12th Street and Imperia...

Photo credit: Michael Schuerman

A San Diego trolley pulls out of the downtown stop at 12th Street and Imperial Avenue, June 1, 2014.

Raising the bar

A third reason for the Compass Card’s persistent data security problems is that the industry standards are updated every two years, and compliance is constantly becoming more costly and burdensome.

It is not uncommon for merchants to fall out of compliance as those updates occur. But Patrick Townsend of Townsend Security said it would be surprising if a system were out of compliance for seven years — the length of time Compass Cards have been in circulation.

“Anyone who takes credit cards from that period of time onward should have been dealing with compliant systems. There’s no question about that,” said Townsend, an expert in data security based in Olympia, Wash.

Traynor said at no time during SANDAG’s stewardship of the Compass Card did any data breaches occur that resulted in cardholder data being stolen. But he acknowledged that in 2010 the system lacked “intrusion detection” software that would have made SANDAG aware of any breaches. Indeed, even merchants who are PCI compliant are often unaware their systems have already been infected with malware.

Photo by Kris Arciaga

SANDAG Director of Operations Ray Traynor speaks in an interview on March 25, 2016.

“I don’t know that anybody could sit and look you straight in the eye and say with 100 percent certainty that every system is 100 percent protected,” Traynor said. “But from all the information and the evidence that we have, there’s never been an exposure — not during SANDAG’s stewardship of the program.”

Compliance on the horizon?

MTS said it has spent about $700,000 assessing and mitigating the risks of a data breach, but that the Compass Card system is still not compliant with international data security standards. MTS does not have an immediate plan to become compliant.

Rather, MTS is focusing on planning for its “next generation” of fare collection, which it says will be much more user friendly, convenient and compliant with the data security standards. It has not given itself a deadline for starting the new system, but its placement on MTS’s annual list of capital improvement projects suggests it could be complete in about three years.

The list of capital improvement projects was approved by the MTS board at its meeting last month. It budgets $20 million for upgrading the fare collection system, to be spent between July 2017 and June 2019. MTS hopes to get half the funding from a state grant program designed to modernize California’s rail transit systems and reduce greenhouse gases.

In the interim, MTS is planning to hire Portland-based GlobeSherpa to develop a new mobile phone ticketing app. Approval for the contract worth about $842,000 will go before the MTS board on Thursday, when staffers will also give a presentation on the Compass Card’s lack of stored value — something promised when the card was introduced but is still not offered to transit customers.

FEATURED PODCAST

San Diego News Matters podcast branding

KPBS' daily news podcast covering local politics, education, health, environment, the border and more. New episodes are ready weekday mornings so you can listen on your morning commute.

Want more KPBS news?
Find us on Twitter and Facebook, or sign up for our newsletters.

To view PDF documents, Download Acrobat Reader.