PCI DSS Case Study
Assist a major online e-commerce business (client) with becoming – and maintaining – PCI DSS compliance for their five websites that sell approximately $7.5 million in health and wellness products to the pet industry.
Challenges & Needs
Even though PCI DSS compliance has been a strict requirement for years for e-commerce businesses, the client had never been asked to become compliant from its’ payment processors and gateways. However, changes in the cybersecurity landscape are now placing large compliance burdens on e-commerce businesses, especially with PCI. Additional challenges included the following:
- No PCI Experience and No Culture of Compliance: Having never been exposed to PCI DSS compliance – or any type of regulatory compliance requirement – the client was unprepared, overwhelmed, and understaffed. They were drowning in compliance and hadn’t even begun!
- Completely Missing Information Security Documentation: With no compliance requirements ever enforced upon our client in prior years, they saw no reason to develop any meaningful InfoSec documents. What documentation they had in place was old, poorly written, inaccurate, and unable to be mapped to the current PCI DSS standards.
- Extremely Weak Security Controls: With no compliance requirements placed on them, and hardly any InfoSec documentation, it came as no surprise that their internal processes and procedures were incredibly weak. Many functions were performed informally, with no oversight or accountability of one’s actions, especially for system administrators and other privileged users.
- Missing Security & Compliance Tools: Compliance with the Payment Card Industry Data Security Standards (PCI DSS) requires a heavy application of security tools. Two-factor authentication, File Integrity Monitoring, vulnerability scanning – and more are all necessary for PCI compliance. The client had virtually no tools in place and was unsure of where to begin in terms of procuring them.
- Unclear as to Next Steps: With no history of compliance, and not knowing where to being, the client had little understanding of the costs and complexities of becoming – and staying compliant! Questions they asked: (1). Who would find and implement all the solutions? (2). Who was going to help them maintain PCI compliance each year? (3). What were the costs and security concerns to be aware of?
FLANK assembled a team of PCI DSS security and compliance experts with two important action-items; (1). Obtain initial PCI DSS compliance status. (2). Put in place a realistic, cost-effective PCI DSS continuous compliance monitoring program. Within 3 months, our client was successfully complaint and within six months, we had a comprehensive monitoring program in place. Wed did it by undertaking the following initiatives:
- Successfully defined PCI DSS project scope, including roles and responsibilities for all internal personnel at the client.
- Identified gaps and deficiencies within the client’s control environment in accordance with the PCI DSS framework, offering expert recommendations on remediation and next-steps.
- Initiated contact with five major software vendors, allowing our client to choose the best products for their operations.
- Provided PCI specific policy toolkit for helping jumpstart an all-new set of information security policies and procedures.
- Conducted comprehensive security awareness & training seminars.
- Acquired numerous security tools for helping achieve full compliance.
- Implemented of a true compliance framework in accordance with the current PCI DSS standards.
- Achieved compliance quickly and cost-effectively, successfully avoiding many of the PCI challenges common with so many other companies.
- Brought to the attention of management the need for continuous compliance initiatives.
- Adoption of a corporate culture that now understands the real the value of regulatory compliance.
- Implementation of an ongoing continuous compliance framework that allows our client to be efficient and cost-effective in terms of annual compliance workload and costs.
- Massive savings in both time and money for annual compliance costs moving forward!