“How I rebuilt
organisational security strategy and BAU thanks to Comsec Group and PCI DSS”
Client story.
The client: “Fundgate” (pseudonym – the firm chose to be
anonymous) - An online financial services provider.
Fundgate is a global
financial and payment service provider, operating in more than 200 countries
and serving millions of users around the world. It is considered as a global
leader in the field of online payments and money transfer, a well-known and
respected player in the online financial services industry.
As business evolved and
developed, security threats and risks have also evolved and became part of the
business landscape. At the same time the company has also developed a strong
awareness and knowledge for information security, risks and threats for their
business from the security perspective.
Fundgate is no stranger
to security compliance and PCI DSS compliance in particular. Operating across
the globe and working closely with the card schemes– the company was very quick
to address and to adopt PCI DSS soon after it was published in 2006. The
company has achieved PCI DSS compliance and has maintained PCI DSS compliance ever
since.
One of the company’s core
principals has always been support the business and create value for the
business, with each function of the organisation. This includes IT, risk, HR,
compliance, third parties and suppliers. Each of those functions should support
and create value to the business.
Fundgate runs a large IT
infrastructure to support the business and the product environment. The
infrastructure consists of multiple product teams with fast paced DevOps
application delivery with product silos that are very much product orientated
as they are business focused.
Fundgate performed a
market search and decided to meet with Comsec, a well-known and experienced QSA
company as a result of re-evaluating their PCI DSS compliance framework.
This re-evaluation came as a result of concerns that PCI
DSS compliance becoming less effective and in some cases even conflicting with
the company IT and security framework. Through an internal assessment and
market analysis, Fundgate discovered that the great amount of resources, time,
energy and money spent on PCI DSS related solutions and activities has little
justification and value and should be utilised more effectively.
After several discussions,
Fundgate hired Comsec to take over its PCI DSS compliance programme and to “optimise”
the compliance programme and efforts.
Phase 1: Initial
Assessment
After a short period of working
together, Comsec’s QSAs came to the conclusion that indeed, the company was on
“auto-pilot” with regards to PCI DSS compliance and that a broad change with
regards to PCI DSS compliance was needed and must be implemented to truly
maintain their PCI DSS compliance at all times
but more importantly – to address and protect
against the security threats that the company was facing. Fundgate had to
rethink information security, governance and PCI DSS compliance.
Amongst the issues that
Comsec’s QSA team has identified:
-
Senior Management was not adequately involved with the PCI DSS compliance
programme.
-
PCI DSS compliance is treated as an annual project, “snap-shot”, and not as
a continuous process and effort.
-
Culturally, PCI DSS was considered as an unwanted practice, one that
damages and slowing down the business.
-
During the years, there was a decrease of knowledge in the IT and security teams
regarding the PCI regulation and the forming of the “auto-pilot” state and lack
of involvement of senior management.
-
Changes were not addressed- services involving card data were not assessed
properly, resulting in incorrect PCI DSS scope (in-scope/out-of-scope issues).
-
The client’s PCI personnel, were in many cases not synched with the
security and IT team.
-
PCI DSS controls and processes were in many cases disconnected and separated
from organisational information security controls and processes, rather than
being integrated in the organisational security framework.
-
Operationally, many of the PCI DSS controls and processes were disrupting
and slowing down other business processes like development, product release
cycles and IT operations as a result from improper environments and processes
management.
-
Security controls effectiveness was limited – they were only implemented
and used in the PCI DSS environment (scope).
Phase 2: Implementation
After understanding the difficulties and issues surrounding
PCI in Fundgate, Comsec’s QSA team proceeded to the next phase which is
implementing PCI DSS compliance and controls in the correct way. Using 3 core
values and principles that guide Comsec PCI QSA practice throughout its work:
Three areas of value to the organisation:
1.
Information Security Focus
o
Implementing and
maintaining PCI DSS compliance not by addressing generic requirements
and “filing the PCI checklist“, but understanding the business context, threats
and risks and then designing and implementing the security controls, solutions
and products that fits the environment and that would also fit the PCI DSS
requirements.
o
“The big picture”: Holistic approach. Understanding that
information security comes first and any compliance framework has to be aligned
with the organisational IS strategy. Controls and processes integrate and
coherent with the overall security and compliance framework of the entity by:
§
Multi-standard environment:
Addressing other relevant security standards, regulations and frameworks the
company is adhering to and aligning the PCI DSS framework accordingly.
§
PCI related BAU activities
– security testing, change management, IT security and others, are aligned,
applicable and cover the wider information security context. For example,
penetration testing is not limited to PCI DSS environment and requirements, but
to the also to other environments and standards, thus increasing the value of
the single activity to the organisation.
2.
Cost-effectiveness
o
“Back to basics”- put an
emphasis on the intent of the PCI requirements and security controls, and
design suitable processes, not on products and tools. In many cases security
controls can be implemented by using simple practices. In many other cases a manual
approach to a security control or process can be faster, more effective and
more cost effective than its automatic tool equivalent.
o
Solutions/products- remove
unnecessary tools and products utilised as part of the PCI DSS
controls/requirements. Those can have expensive costs and can be easily
achieved using manual or open-source tools.
o
Scope reduction- through
expert consulting, Comsec experienced QSA team was able to reduce the scope of
the PCI DSS environment and requirements, offering greater flexibility with
addressing requirements and suggesting compensating controls where possible, to
assist with reducing costs and unnecessary work.
3.
Business Focus
o
PCI DSS compliance is part
of organisational Information Security - which is part of the organisation
business.
o
Security controls fit into the
business and product environment.
o
Implementing information security business as usual practices that support
the business and operations.
o
Financial services expertise and experience - Comsec has been working with all
the leading financial and payment entities, including Visa and Mastercard, on
their card data security programmes prior to the establishment of the PCI
Security Standards Council, and in the early stages of formulating the
guidelines later known as PCI DSS. This leads to unmatched experience and
know-how in the financial services sector.
• Phase 3: Results and Client testimonials (anonymized)
“Comsec has been a true partner both for PCI DSS compliance
and for Information Security”
·
Enabled my company to
achieve not just to tick the box of the standards controls, but to design the
right PCI DSS compliance framework for my organisation
·
Reduced costs of compliance
and at the same time improve efficiency and effectiveness
·
PCI is no longer a burden
on the company resources, but seen as an important tool to confront our risk
and security threat environment.
·
Security makes sense now
more than ever - security controls, solutions, products and processes work in
harmony and are relevant to the requirements and the security threats.
·
Employees are involved in
information security more than ever and actually understand the PCI DSS
requirements.
·
Demonstrable
best-in-class abilities in the business area under review
Throughout the project, Comsec demonstrated what is expected from a cutting edge leading consultancy.- Total partnership and commitment to the client
objective –business, professional and operational. Comsec performed a PCI DSS
scoping that includes the organisation’s business environment, internal
processes and philosophy, to create a tailored PCI DSS compliance and framework
that fits with the organisation principals and operations.
• Clear project
management and process reengineering expertise
Comsec has dedicated a senior experienced project manager
(director level), with vast experience across hundreds of PCI related projects,
and specific industry experience in the financial and online sectors. This comes
from Comsec’s approach that PCI DSS processes and controls are not stand-alone
and do not operate within a vacuum, and must consider the business, operational
and even cultural aspects of an organisation. It is only from great experience,
professional knowledge the two can be combined successfully.
• Mastery of the
latest technological solutions
Comsec’s QSA team for the
project consisted of a top-level technical consultant, with the most updated
knowledge of current security solutions and products.
• Understanding of the
very latest regulatory requirements
Additionally, Comsec’s lead
QSA is an experienced consultant and auditor for many security standards and
best practices- PA-DSS, PCI P2PE, ISO27001, COBIT 5, Data Privacy and more.
Thus creating a broad vision of the regulatory environment.
• The successful
delivery of a core strategic initiative / set of client objectives
Through expert consulting, Comsec’s experienced QSA team
worked together with the client to achieve project targets while optimising the
PCI DSS compliance process- including PCI DSS environment and requirements
scope reduction, greater flexibility addressing the requirements and suggesting
compensating controls where possible, to assist with reducing costs and
unnecessary work.
• On budget, on
time
Comsec managed to reduce the annual budget associated with
PCI DSS in the organisation by removing irrelevant products and practices from
the framework and optimising the overall process and security controls
effectiveness.
• Successful
integration with existing client infrastructure
Working together with Fundgate, Comsec successfully
integrated PCI DSS compliance maintenance with the client existing IT &
security operations governance framework. This was a complete re-engineering of
the previous PCI DSS compliance framework, which did not work seamlessly into
the organisational framework.
• Access to the
right technology partners for the job
Comsec helped the company compare and choose the right
suppliers and products for the business.