Purpose

To determine the extent of implementation of the two recommendations included in our initial audit report, Compliance With Payment Card Industry Standards (2016-S-31).

Background

Our initial audit report, which was issued on February 6, 2017, determined whether the Central New York Regional Transportation Authority (Authority) complied with payment card industry security standards.  The audit covered the period January 1, 2015 through June 24, 2016. We found the Authority did not have a developed information security policy that addressed all of the requirements in the PCI DSS, and the Authority could also improve certain other technical safeguards over the cardholder data it processes.  As a result of the audit, the Authority took immediate actions to address the security over cardholder data. However, the Authority still needed to take additional steps to improve its overall information security program to ensure it met the PCI DSS. Our initial audit contained two recommendations to the Authority to develop strategies to enhance compliance with PCI DSS and implement recommendations made in a preliminary report and confidential draft report issued to the Authority.

Key Finding

Authority officials have made significant progress in correcting the problems we identified in the initial report.  However, improvements are still needed.  Of the two prior audit recommendations, one has been implemented and one has been partially implemented.

Key Recommendation

Officials are given 30 days after the issuance of the follow-up review to provide information on any actions that are planned to address the unresolved issues discussed in this review.

Other Related Audit/Report of Interest

Central New York Regional Transportation Authority: Compliance With Payment Card Industry Standards (2016-S-31)