Case Studies: Small/Mid-Sized Businesses
Small/Mid-Sized BusinessesCOULD THIS SCENARIO HAPPEN TO YOU?
|
 |
|
||||||||||
Situation
Our client, a mid-sized chain of 36 gas stations in the midwestern U.S. recently conducted their self-assessment for PCI compliance as a Level 2 business, and found some shortcomings in their compliance posture. Specifically, they had concerns about compliance with Requirement 7.1; they could not answer a confident "yes" to the question "Is access to system components and cardholder data limited to only those individuals whose job requires such access." This client had robust security in place at the perimeter of their critical IT infrastructure, and had no history of unauthorized access. However, they had just added a new "pay-at-the-pump" module to their existing POS system, which was now being maintained remotely by their POS vendor's tech support team. They had some serious reservations about granting these very tech-savvy users access to their critical infrastructure, particularly in light of recent news stories about the nightmares faced by some major U.S. retailers who had experienced theft of confidential cardholder data by similar high-risk users.
The vendor's tech support team had continual access inside the critical IT infrastructure, and our client had no measures in place specifically designed to prevent these users from accessing systems, devices and data that they were not authorized to see. Any potential breach of these confidential systems and data would put the company at substantial risk:
- A breach of cardholder security in a high-profile retail business such as theirs could undermine consumer confidence and damage their brand for years to come;
- If independent investigation uncovered systematic, unauthorized access to cardholder and transaction data by outside vendors, the client firm would be subjected to fines as large as $500,000 per incident, by Visa alone;
- This serious breach of payment card security could result in re-classification of the business so it was no longer eligible for PCI self-assessment, and instead require the vastly increased time and expense of external PCI compliance audits for years to come.
Challenge
Any solution needed to be cost-effective, as margins in this business were generally among the smallest in retail. The client made it very clear that the key to managing a mid-sized business with a high volume of transactions and low margins is to keep expenses low. Our client also wanted to avoid at all costs the possibility of required annual PCI audits by proving that their firm is capable of the continuous, automated reporting and strict proof of control required to achieve and maintain compliance beyond the self-assessment date. The client also needed to maintain the high service level and nearly 100% uptime that results from remote management and maintenance of its mission-critical POS system by certified vendor experts, so eliminating vendor access to the critical IT infrastructure was not an option.
PCI compliance is highly dependent on the ability to maintain a compliant operating environment over a full 12-month cycle, not just on a particular day. So our final challenge was to help instill a mindset of continuous PCI compliance within the organization.
The Xceedium Solution
Xceedium explained to the client that it could not complete and rely upon the results of the self-assessment questionnaire until it closed the potential security gap raised by Requirement 7.1, and established a technology infrastructure that enables it to continuously address the real intent of PCI requirements: doing what is right to protect the company, its assets, and its customers. The core of this infrastructure would be the cost-effective GateKeeper 620 – a hardened appliance that comprises a complete solution for PCI self-assessment via the Xceedium Entitlement Management model that includes access control, enforcement, monitoring, recording and reporting. Specifically, the client benefited from the unique and patent-pending features of the GateKeeper 620, including Leapfrog Prevention™, which keeps high-risk users like their POS vendor support team contained in authorized areas only, and bi-directional session recording for all CLI-based access, which provides a complete audit trail and full accountability for outside vendors and other high-risk users. Automated, centralized reporting capabilities reduce the time and complexity of passing internal audits and delivering proof of compliance. GateKeeper 620 automates the complex security models for high-risk users necessary for meeting compliance regulations, especially critical Level 2 and Level 3 PCI self-certification requirements.
Benefits
Our client benefits from an Xceedium GateKeeper 620 solution that cost-effectively and easily facilitates self-certification for PCI Level 2 and Level 3 requirements. As a result of Xceedium's GateKeeper 620 solution, this client:
- Was able to cite the patent-pending Leapfrog Prevention™ technology of Xceedium GateKeeper 620 to answer "yes" to PCI Requirement 7.1, their ability to limit access to cardholder data to authorized individuals only.
- Was able to provide proof of control to maintain its ability to self-certify for PCI Level 2 requirements, rather than be subjected to annual external PCI audits;
- Created the infrastructure necessary to achieve continuous risk management, proactively identifying and mitigating unauthorized activities of high-risk users that might jeopardize the integrity and security of sensitive data and the IT infrastructure;
- Achieved effective separation of duties among high-risk users by compartmentalizing the IT infrastructure to protect critical systems and data from unauthorized access, and containing these users within authorized areas, avoiding the risk of large fines;
- Implemented a continuous, automated PCI self-certification solution that was cost-effective and easy to install, without any effect on legacy systems, including local POS systems.