Payment Card Industry (PCI) QSA Review Results

Executive Summary

The Payment Card Industry (PCI), through banking and card-brand agreements, requires merchants

like the Port of Seattle, to complete an annual Self-Assessment Questionnaire (SAQ) to verify to the

Port’s merchant bank (acquirer), that the Port’s security controls over credit card data processing meet

the PCI requirements. The PCI Standards Council cybersecurity requirements are periodically updated

and are prescriptive in nature. The PCI Data Security Standard (DSS) Self-Assessment Questionnaire

(SAQ) D, which the Port is required to comply with, contains over 250 specific security questions.

The PCI assessment was performed for the reporting year 2020, by an external party, MegaplanIT,

L.L.C., with the assistance of Information & Communication Technology, Information Security, and

Aviation Maintenance. In order to complete their assessment, MegaplanIT used the PCI DSS SAQ D,

and the Attestation of Compliance for Merchants. This firm has performed the assessment for the last

three years; however, Internal Audit will perform the assessment for the 2021 reporting year.

The 2020 review was completed and signed by Dan Thomas, Chief Financial Officer, on July 30, 2020

and was noted to be “Compliant: All sections of the PCI DSS SAQ are complete, all questions answered

affirmatively, resulting in an overall COMPLIANT rating; thereby Port of Seattle has demonstrated full

compliance with the PCI DSS.”

The Port has been performing PCI reviews for over 10 years and this is the first year the Port has

obtained a compliant result. Previous non-compliant years had seen a steady reduction in identified

issues.

Glenn Fernandes, CPA

Director, Internal Audit

Responsible Management Team

Dan Thomas, Chief Financial Officer

Matt Breed, Chief Information Officer

Ron Jimerson, Director of Information Security

Stephanie Warren, Manager of Information Security