A PCI Audit for a Major Retailer

One of the largest privately held regional retail corporations in the United States, with over 10,000 staff members in more than 500 locations and over one billion dollars in annual sales, engaged Focal Point as its PCI QSA to perform its annual PCI compliance audits. The Retailer sought to ensure their network architecture, system configuration, security management, policies, procedures, and other critical security measures aligned with PCI DSS requirements.

Focal Point had previously supported the Retailer from a PCI compliance advisory perspective, defining and documenting CHD assets, assisting with project scoping, and determining proper segmentation. The Retailer had failed its PCI compliance audit the prior year and been fined nearly $100,000. It was seeking additional help to bring its cybersecurity program and IT initiatives in line with this industry standard. After a successful audit, the Retailer selected Focal Point as their primary QSA and security partner. Focal Point has continued to work with this Retailer for the last seven years.

Project Summary

Challenge 1: Lack of Defined Controls

In the months after being fined for non-compliance, the Retailer struggled to find a PCI QSA to work with. Most told them that they did not have enough of the necessary controls in place for them to begin a PCI audit. So, the retailer began to work on designing and implementing the necessary controls required by the PCI DSS.

After six months of work, the Retailer reached the point that it needed a PCI expert with a deep understanding of the PCI DSS to act as an advisor and help them strengthen their controls. The Retailer engaged Focal Point in this advisory role.

At the start of the engagement, Focal Point facilitated interviews, performed observations, and reviewed documentation and configurations to gain a better understanding of the cardholder data environment (CDE) across the business. Focal Point’s experts inspected relevant controls to evaluate their effectiveness and toured key data centers and facilities, as well.

Over the course of the project, Focal Point identified significant deficiencies among their controls and processes. Rather than building a streamlined, cohesive PCI framework, control improvements were being made ad hoc, leading to major gaps in compliance.

Based on the initial results of the gap analysis, the Focal Point team developed a compliance roadmap that ranked the areas of non-compliance by risk level and detailed the steps for remediating those gaps. In addition, the team provided remediation assistance and ongoing support to ensure the policies, procedures, and applications met compliance requirements and were implemented properly.

Challenge 2: High Cost of Compliance

The Retailer paid a costly price for PCI compliance. Due to their compliance violation the prior year, the Retailer had been fined a total of eight times at $10,000 for each violation. In addition, the company had to invest nearly three-quarters of a million dollars into PCI compliance the following year in order to bring its program into alignment. Despite the extensive amount of work needed to become compliant, the Focal Point team worked with the Retailer to improve controls and streamline compliance processes. Today, their annual audit costs have been reduced by 80%, and the Retailer has not received any fines since then, giving them much more budget to allocate to other security initiatives and improvements.

Challenge 3: Excessive Timelines

After receiving the initial penalty for non-compliance, it took the Retailer nearly 18 months before it was ready for its next PCI audit. But after implementing the appropriate controls and processes during this first assessment, Focal Point reduced the total time of the audit to under six months the following year.

In addition, the Retailer noticed a marked reduction and improvement in their Key Risk Indicators (KRIs) around PCI compliance. The average time to review evidence and remediate issues was reduced to an average of 41 days, and the average number of issues decreased to 31.

Success and Continued Support

Following this audit, the Retailer was able to strengthen their cyber defenses, meet and maintain PCI DSS compliance, and limit the possibility of another fine. Focal Point has continued to be the Retailer’s PCI QSA since 2012 and has assisted with a number of other key initiatives. The Focal Point Penetration Testing team has performed biannual segmentation tests over the last seven years and have been instrumental in establishing the Retailer’s threat vulnerability management program. In addition, the Retailer has brought the Focal Point team on to consult on key security initiatives, like security risk and maturity dashboard creation, risk assessments, secure development training, and incident response testing and training.

Case Study: A PCI Audit for a Major Retailer 1
Featured Service

PCI Compliance

Focal Point has been a PCI QSA ASV for more than 14 years and has helped some of the biggest retailers in the world align their policies, procedures, and technologies with the PCI Data Security Standard (DSS). From gap analyses to compliance roadmaps to remediation assistance, we can help you build a best-in-class security program.

Learn More

Featured Case Studies

Check out more stories about the exciting projects we've been working on.
Case Study: A Large Dental Benefits Administrator Improves Overall Operations with Business Continuity and Disaster Recovery Plan
Case Study

Global Call Center Achieves Compliance with PCI Risk Assessment and Roadmap

One of the world’s leading global call centers was being acquired and wanted to evaluate their compliance efforts to see if they were aligned with the PCI DSS requirements prior to the acquisition completion.
Learn More
Case Study: A PCI Audit for a Major Retailer
Case Study

Implementing SailPoint IdentityNow at a Global Pharmaceutical Company

A leading pharmaceutical company was attempting to achieve compliance and an effective auditing plan, but without a centralized IAM system, they could not efficiently review or monitor their potential risks.
Learn More
Case Study: Implementing SailPoint IdentityNow at a Global Pharmaceutical Company
Case Study

Identifying SailPoint’s IdentityNow for a New and Improved Cloud-Based IAM Solution

A global retail company, owned by one of the most recognizable names in fashion, wanted a clear roadmap that identified existing issues and outlined the key drivers and requirements for implementing SailPoint.
Learn More