INTERNAL AUDIT
This report is a matter of public record, and its distribution is not limited. Additionally, in accordance with
the Americans with Disabilities Act, this document is available in alternative formats on our website.
INTERNAL AUDIT REPORT
Information Technology Audit
Payment Card Industry (PCI) QSA Assessment Results
Self-Assessment Questionnaire
Issue Date: March 13, 2024
Report No. 2024-03
Payment Card Industry (PCI) QSA Assessment Results
2
Executive Summary
The Payment Card Industry (PCI), through banking and card-brand agreements, requires merchants
like the Port of Seattle (Port), to complete an annual Self-Assessment Questionnaire (SAQ). The SAQ
is in essence an audit performed to verify to the Port’s acquirer (merchant bank), that the Port’s security
controls over credit card data processing, meet the PCI requirements. The PCI Standards Council
cybersecurity requirements are reflected in the SAQ. They are periodically updated and are prescriptive
in nature.
The 2023 PCI assessment was completed on December 14, 2023, by Secured Net Solutions Inc., an
external party, and a Qualified Security Assessor (QSA). The work was performed to assure the Port’s
compliance with the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1.
Organizations that store, process, or transmit credit card data must comply with the relevant PCI DSS
requirements, and compliance must be attested on an annual basis.
The Port accepts credit card payments for taxi driver usage fees, moorage services at its marina
facilities, and parking at the Seattle-Tacoma International Airport. The assessment focused on the Port’s
critical systems, including web and application servers, workstation kiosks, transmission of cardholder
data out to the payment processors, and the Parking Revenue Control System, including Point of Sale
swipe devices and network devices.
The Port received an overall COMPLIANT rating, demonstrating full compliance with the PCI DSS.
The following SAQs and AOC’s (Attestation of Compliance) were completed by the Port’s QSA:
Self-Assessment Questionnaire (SAQ) A – Taxi Management System
Self-Assessment Questionnaire (SAQ) - P2PE (Point to Point Encryption) – PRCS (Parking
Revenue Control System)
Self-Assessment Questionnaire (SAQ) - P2PE – MVMS (Marina Vessel Management System)
Attestation of Compliance (AOC) for Self-Assessment Questionnaire (SAQ) A – Taxi
Management System
Attestation of Compliance (AOC) for Self-Assessment Questionnaire P2PE – PRCS
Attestation of Compliance (AOC) for Self-Assessment Questionnaire P2PE – MVMS
Glenn Fernandes, CPA
Director, Internal Audit
Responsible Management Team
Dan Thomas, Chief Financial Officer
Matt Breed, Chief Information Officer
Ron Jimerson, Chief Information Security Officer
