PCI proves large ROI on security investment
CASE STUDY |
Payment Card Industry Data Security Standard (PCI DSS) compliance proves a challenge for many organizations. The PCI DSS defines requirements that must be met by any organization that stores, processes or transmits credit card data. Because of the complexity and constantly updating requirements, many organizations find themselves falling far behind the standards or, worse yet, simply ignoring them. Though these organizations may avoid penalties in the short run, consequences from noncompliance will eventually catch up to them.
Such was the case with a hospitality organization that found itself on the wrong side of compliance. Two years ago, this organization received a letter from their bank mandating them to prove PCI compliance by a certain date or else accept hefty penalties and fines. Since this organization had yet to integrate any part of the PCI DSS into its security program, they knew they had substantial work to do. The organization was facing enormous risks from noncompliance, including fines of $50,000 per month of noncompliance, the potential inability to accept credit cards and the reputational damage they would suffer should a breach occur. Due to the inability to handle this situation internally, the organization contacted RSM for assistance in building a PCI program and meeting their bank’s requirements.
RSM worked with the organization to chart a road map to PCI compliance and to act as a liaison between the bank and the organization. Because we are a PCI Approved Scanning Vendor (ASV) and a Qualified Security Assessor (QSA), we were able to provide the support and extensive knowledge necessary to outline the most efficient and effective plan towards compliance. RSM developed a two-year phased approach that involved milestones, a prioritized approach to reducing risk, scope reduction to reduce management overhead and costs and building a compliance program.
One of RSM’s primary roles during this engagement was to act as a liaison and spokesperson on behalf of the client. We contacted the bank to negotiate penalties and was able to delay the client’s fines for two years, with the assurance that the client was working toward PCI compliance. Additionally, we expressed the gravity of the situation to the client’s board of directors. This galvanized support for the compliance program from all levels within the organization, which is essential when undertaking a project of this magnitude.
RSM also performed security assessments designed to gap current controls against the PCI DSS and improve security and regulatory standing. A PCI gap assessment showed that the organization was only around 20 percent compliant with required PCI standards. Vulnerability and penetration assessments identified major technical exposures. Firewalls and devices were assessed to determine whether they were configured to PCI standards. Network architecture was reviewed to determine potential areas of scope reduction and segmentation. This review led to a networkwide upgrade of switches and point-of-sale devices to incorporate point-to-point encryption of cardholder data. RSM also reviewed policies and procedures to assist the client in formalizing and conforming to the PCI requirements.
Throughout the process, RSM provided tactical and strategic recommendations to assist in remediation and long-term planning. At times, business processes needed to be completely overhauled to meet overall goals. We provided guidance from both a project owner and QSA perspective. Project owners helped ensure business processes adhered to organizational goals, while the QSA confirmed process updates adhered to the PCI standards. As each milestone approached, we met with executives and technical staff to address any questions and confirm that remediation plans were on track.
After two years of security assessments, program building, policy revisions, technical remediation and communicating progress to the bank, the organization was successfully able to complete their required PCI Self-Assessment Questionnaire. This organization moved from around 20 percent compliance to 100 percent compliance. Though this initiative required investments in new technology and other resources, the organization saw a major return on their investment. Over the course of two years, the organization would have had to pay at least $1.2 million in penalties to their bank for noncompliance. Instead, the organization was able to avoid penalties, while investing less than $550,000 in building a PCI compliance program with RSM’s guidance. Moreover, now that the organization has built a repeatable, consistent process for managing compliance, their future compliance work will be much more manageable and affordable.
For organizations that are shaping or rethinking their security programs, it is important to account for relevant regulations early on. It is much easier to meet compliance requirements if they have already been built into the culture of the organization. The negative consequences of PCI noncompliance can be avoided by integrating compliance and security into business process change cycles, and continually updating them to comply with the newest PCI regulations.
For organizations that lack an established culture of security and compliance, this case demonstrates that it is indeed possible to avoid the dire consequences of noncompliance. It may require overhauling certain procedures, retraining individuals and upgrading technology, but it is a worthwhile endeavor if it saves the business from significant penalties or the ability to accept credit cards. For example, this organization had been storing credit card numbers in plastic food containers (which is definitely not compliant). Still, the client was able to completely revise this process to move toward a compliant solution.