“How I rebuilt organisational security strategy and BAU thanks to Comsec Group and PCI DSS”
The client: “Fundgate” (pseudonym – the firm chose to be anonymous) - An online financial services provider.
Fundgate is a global financial and payment service provider, operating in more than 200 countries and serving millions of users around the world. It is considered as a global leader in the field of online payments and money transfer, a well-known and respected player in the online financial services industry.
As business evolved and developed, security threats and risks have also evolved and became part of the business landscape. At the same time the company has also developed a strong awareness and knowledge for information security, risks and threats for their business from the security perspective.
Fundgate is no stranger to security compliance and PCI DSS compliance in particular. Operating across the globe and working closely with the card schemes– the company was very quick to address and to adopt PCI DSS soon after it was published in 2006. The company has achieved PCI DSS compliance and has maintained PCI DSS compliance ever since.
One of the company’s core principals has always been support the business and create value for the business, with each function of the organisation. This includes IT, risk, HR, compliance, third parties and suppliers. Each of those functions should support and create value to the business.
Fundgate runs a large IT infrastructure to support the business and the product environment. The infrastructure consists of multiple product teams with fast paced DevOps application delivery with product silos that are very much product orientated as they are business focused.
Fundgate performed a market search and decided to meet with Comsec, a well-known and experienced QSA company as a result of re-evaluating their PCI DSS compliance framework.
This re-evaluation came as a result of concerns that PCI DSS compliance becoming less effective and in some cases even conflicting with the company IT and security framework. Through an internal assessment and market analysis, Fundgate discovered that the great amount of resources, time, energy and money spent on PCI DSS related solutions and activities has little justification and value and should be utilised more effectively.
After several discussions, Fundgate hired Comsec to take over its PCI DSS compliance programme and to “optimise” the compliance programme and efforts.
Phase 1: Initial Assessment
After a short period of working together, Comsec’s QSAs came to the conclusion that indeed, the company was on “auto-pilot” with regards to PCI DSS compliance and that a broad change with regards to PCI DSS compliance was needed and must be implemented to truly maintain their PCI DSS compliance at all times but more importantly – to address and protect against the security threats that the company was facing. Fundgate had to rethink information security, governance and PCI DSS compliance.
Amongst the issues that Comsec’s QSA team has identified:
- Senior Management was not adequately involved with the PCI DSS compliance programme.
- PCI DSS compliance is treated as an annual project, “snap-shot”, and not as a continuous process and effort.
- Culturally, PCI DSS was considered as an unwanted practice, one that damages and slowing down the business.
- During the years, there was a decrease of knowledge in the IT and security teams regarding the PCI regulation and the forming of the “auto-pilot” state and lack of involvement of senior management.
- Changes were not addressed- services involving card data were not assessed properly, resulting in incorrect PCI DSS scope (in-scope/out-of-scope issues).
- The client’s PCI personnel, were in many cases not synched with the security and IT team.
- PCI DSS controls and processes were in many cases disconnected and separated from organisational information security controls and processes, rather than being integrated in the organisational security framework.
- Operationally, many of the PCI DSS controls and processes were disrupting and slowing down other business processes like development, product release cycles and IT operations as a result from improper environments and processes management.
- Security controls effectiveness was limited – they were only implemented and used in the PCI DSS environment (scope).
Phase 2: Implementation
After understanding the difficulties and issues surrounding PCI in Fundgate, Comsec’s QSA team proceeded to the next phase which is implementing PCI DSS compliance and controls in the correct way. Using 3 core values and principles that guide Comsec PCI QSA practice throughout its work:
Three areas of value to the organisation:
1. Information Security Focus
o Implementing and maintaining PCI DSS compliance not by addressing generic requirements and “filing the PCI checklist“, but understanding the business context, threats and risks and then designing and implementing the security controls, solutions and products that fits the environment and that would also fit the PCI DSS requirements.
o “The big picture”: Holistic approach. Understanding that information security comes first and any compliance framework has to be aligned with the organisational IS strategy. Controls and processes integrate and coherent with the overall security and compliance framework of the entity by:
§ Multi-standard environment: Addressing other relevant security standards, regulations and frameworks the company is adhering to and aligning the PCI DSS framework accordingly.
§ PCI related BAU activities – security testing, change management, IT security and others, are aligned, applicable and cover the wider information security context. For example, penetration testing is not limited to PCI DSS environment and requirements, but to the also to other environments and standards, thus increasing the value of the single activity to the organisation.
o “Back to basics”- put an emphasis on the intent of the PCI requirements and security controls, and design suitable processes, not on products and tools. In many cases security controls can be implemented by using simple practices. In many other cases a manual approach to a security control or process can be faster, more effective and more cost effective than its automatic tool equivalent.
o Solutions/products- remove unnecessary tools and products utilised as part of the PCI DSS controls/requirements. Those can have expensive costs and can be easily achieved using manual or open-source tools.
o Scope reduction- through expert consulting, Comsec experienced QSA team was able to reduce the scope of the PCI DSS environment and requirements, offering greater flexibility with addressing requirements and suggesting compensating controls where possible, to assist with reducing costs and unnecessary work.
3. Business Focus
o PCI DSS compliance is part of organisational Information Security - which is part of the organisation business.
o Security controls fit into the business and product environment.
o Implementing information security business as usual practices that support the business and operations.
o Financial services expertise and experience - Comsec has been working with all the leading financial and payment entities, including Visa and Mastercard, on their card data security programmes prior to the establishment of the PCI Security Standards Council, and in the early stages of formulating the guidelines later known as PCI DSS. This leads to unmatched experience and know-how in the financial services sector.
• Phase 3: Results and Client testimonials (anonymized)
“Comsec has been a true partner both for PCI DSS compliance and for Information Security”
· Enabled my company to achieve not just to tick the box of the standards controls, but to design the right PCI DSS compliance framework for my organisation
· Reduced costs of compliance and at the same time improve efficiency and effectiveness
· PCI is no longer a burden on the company resources, but seen as an important tool to confront our risk and security threat environment.
· Security makes sense now more than ever - security controls, solutions, products and processes work in harmony and are relevant to the requirements and the security threats.
· Employees are involved in information security more than ever and actually understand the PCI DSS requirements.
· Demonstrable best-in-class abilities in the business area under review
Throughout the project, Comsec demonstrated what is expected from a cutting edge leading consultancy.
- Total partnership and commitment to the client
objective –business, professional and operational. Comsec performed a PCI DSS
scoping that includes the organisation’s business environment, internal
processes and philosophy, to create a tailored PCI DSS compliance and framework
that fits with the organisation principals and operations.
• Clear project management and process reengineering expertise
Comsec has dedicated a senior experienced project manager (director level), with vast experience across hundreds of PCI related projects, and specific industry experience in the financial and online sectors. This comes from Comsec’s approach that PCI DSS processes and controls are not stand-alone and do not operate within a vacuum, and must consider the business, operational and even cultural aspects of an organisation. It is only from great experience, professional knowledge the two can be combined successfully.
• Mastery of the latest technological solutions
Comsec’s QSA team for the project consisted of a top-level technical consultant, with the most updated knowledge of current security solutions and products.
• Understanding of the very latest regulatory requirements
Additionally, Comsec’s lead QSA is an experienced consultant and auditor for many security standards and best practices- PA-DSS, PCI P2PE, ISO27001, COBIT 5, Data Privacy and more. Thus creating a broad vision of the regulatory environment.
• The successful delivery of a core strategic initiative / set of client objectives
Through expert consulting, Comsec’s experienced QSA team worked together with the client to achieve project targets while optimising the PCI DSS compliance process- including PCI DSS environment and requirements scope reduction, greater flexibility addressing the requirements and suggesting compensating controls where possible, to assist with reducing costs and unnecessary work.
• On budget, on time
Comsec managed to reduce the annual budget associated with PCI DSS in the organisation by removing irrelevant products and practices from the framework and optimising the overall process and security controls effectiveness.
• Successful integration with existing client infrastructure
Working together with Fundgate, Comsec successfully integrated PCI DSS compliance maintenance with the client existing IT & security operations governance framework. This was a complete re-engineering of the previous PCI DSS compliance framework, which did not work seamlessly into the organisational framework.
• Access to the right technology partners for the job
Comsec helped the company compare and choose the right suppliers and products for the business.