One of the largest privately held regional retail corporations in the United States, with over 10,000 staff members in more than 500 locations and over one billion dollars in annual sales, engaged Focal Point as its PCI QSA to perform its annual PCI compliance audits. The Retailer sought to ensure their network architecture, system configuration, security management, policies, procedures, and other critical security measures aligned with PCI DSS requirements.
Focal Point had previously supported the Retailer from a PCI compliance advisory perspective, defining and documenting CHD assets, assisting with project scoping, and determining proper segmentation. The Retailer had failed its PCI compliance audit the prior year and been fined nearly $100,000. It was seeking additional help to bring its cybersecurity program and IT initiatives in line with this industry standard. After a successful audit, the Retailer selected Focal Point as their primary QSA and security partner. Focal Point has continued to work with this Retailer for the last seven years.
Project Summary
Challenge 1: Lack of Defined Controls
In the months after being fined for non-compliance, the Retailer struggled to find a PCI QSA to work with. Most told them that they did not have enough of the necessary controls in place for them to begin a PCI audit. So, the retailer began to work on designing and implementing the necessary controls required by the PCI DSS.
After six months of work, the Retailer reached the point that it needed a PCI expert with a deep understanding of the PCI DSS to act as an advisor and help them strengthen their controls. The Retailer engaged Focal Point in this advisory role.
At the start of the engagement, Focal Point facilitated interviews, performed observations, and reviewed documentation and configurations to gain a better understanding of the cardholder data environment (CDE) across the business. Focal Point’s experts inspected relevant controls to evaluate their effectiveness and toured key data centers and facilities, as well.
Over the course of the project, Focal Point identified significant deficiencies among their controls and processes. Rather than building a streamlined, cohesive PCI framework, control improvements were being made ad hoc, leading to major gaps in compliance.
Based on the initial results of the gap analysis, the Focal Point team developed a compliance roadmap that ranked the areas of non-compliance by risk level and detailed the steps for remediating those gaps. In addition, the team provided remediation assistance and ongoing support to ensure the policies, procedures, and applications met compliance requirements and were implemented properly.
Challenge 2: High Cost of Compliance
The Retailer paid a costly price for PCI compliance. Due to their compliance violation the prior year, the Retailer had been fined a total of eight times at $10,000 for each violation. In addition, the company had to invest nearly three-quarters of a million dollars into PCI compliance the following year in order to bring its program into alignment. Despite the extensive amount of work needed to become compliant, the Focal Point team worked with the Retailer to improve controls and streamline compliance processes. Today, their annual audit costs have been reduced by 80%, and the Retailer has not received any fines since then, giving them much more budget to allocate to other security initiatives and improvements.
Challenge 3: Excessive Timelines
After receiving the initial penalty for non-compliance, it took the Retailer nearly 18 months before it was ready for its next PCI audit. But after implementing the appropriate controls and processes during this first assessment, Focal Point reduced the total time of the audit to under six months the following year.
In addition, the Retailer noticed a marked reduction and improvement in their Key Risk Indicators (KRIs) around PCI compliance. The average time to review evidence and remediate issues was reduced to an average of 41 days, and the average number of issues decreased to 31.
Success and Continued Support
Following this audit, the Retailer was able to strengthen their cyber defenses, meet and maintain PCI DSS compliance, and limit the possibility of another fine. Focal Point has continued to be the Retailer’s PCI QSA since 2012 and has assisted with a number of other key initiatives. The Focal Point Penetration Testing team has performed biannual segmentation tests over the last seven years and have been instrumental in establishing the Retailer’s threat vulnerability management program. In addition, the Retailer has brought the Focal Point team on to consult on key security initiatives, like security risk and maturity dashboard creation, risk assessments, secure development training, and incident response testing and training.