SecureState Blog

Read SecureState's award winning blog.

Engagement Background

Taking a proactive approach, a governing body in the financial industry was interested in its readiness for PCI Compliance.  Our Audit & Compliance team determined a PCI Gap Assessment would be the appropriate service to fulfill the request.  The PCI standard maintains a framework of security controls developed to protect credit card information during and after a transaction.  A PCI Gap Assessment identifies the controls an organization must have in place to comply with the Payment Card Industry’s set of standards.  Initially, 70% of organizations are found to not be compliant with the PCI standard when performing a PCI Gap Assessment the first time.  As a practical measure, the client was proactively seeking out their organization’s readiness in terms of PCI Compliance.

Why it’s Important

Merchants who process fewer than 1,000,000 credit card transactions annually based on their respective amount of e-commerce transactions are deemed level 3 and 4 merchants.  Such merchants must be PCI Compliant; however, they are not required to present a Report on Compliance (RoC) to their Merchant Bank.  If an organization’s network is breached and they are found to be non-compliant, thepci_complianceorganization may be fined and continually fined until the proper controls are put in place.  Additionally, if a merchant outsources the process of credit card transactions to a third party service provider, they cannot outsource the risk as well.  In this particular engagement, SecureState discovered that the client was unknowingly storing credit card information on their servers.  In fact, when processed, the credit card data was transmitted by a central fax server that sends a customer’s personal account number (PAN) through E-mail, possibly resulting in the storage of critical data on the fax and/or E-mail server.  This issue must be immediately addressed to ultimately pursue PCI Compliancy.


What the Consultants Had to Say

“We had resolve,” our consultant declared.  “It’s a good thing the client took a proactive approach to PCI Compliance or they would still be unknowingly storing credit card information on their network.”  The client had been leaning towards tokenization, knowing that fewer controls would be in scope.  Before the Assessment, the client was not very motivated since they were under the impression that no credit card information was being stored at the time.  Because we found credit card information, we recommended that the client move forward with tokenization and helped them identify the controls they would have to put in place to reach PCI Compliance.  We stressed the convenience of a tokenization system and third party services which can prevent the storage of credit card data on external e-commerce and internal systems.  In some cases, third party tokenization providers host special sites that re-direct the customer away from the merchant’s e-commerce site to the third party site, which eliminates the transmission and storage of credit card information.  The third party service provider has its own rules to conform to and we notified the client that they are still responsible to ensure that the third party service provider is compliant through contracts and proof of compliance.  A misconception is that if an organization uses a tokenization solution, they automatically become compliant or do not have to become compliant, which is false.  The organization must be aware that it is responsible for third party service providers to achieve PCI Compliance.