PCI-DSS: “SHOULD WE SHUT DOWN OUR OPERATIONS?”
Issue: Our client, an e-commerce retailer and logistics solution provider to top brands in the apparel industry, was having major difficulties with its security vendor that handled cardholder data. Our client manages returns, credits, and CRM for its customers and is required to retain cardholder data. The client wanted to “tokenize” all cardholder data and needed to bring its Payment Card Industry – Data Security Standards (PCI-DSS) compliance in-house. The client has a savvy IT department, but only one new hire on staff with any prior PCI compliance experience.
Challenge: Advise and consult with the client about how to make their complete infrastructure and operations PCI-DSS compliant within a 3-4 month time-frame. The client processes more than 750,000 “card not present” transactions per year and growing. The client also has a customer service call center that processes phone orders for catalogues.
Approach: Discovery– a determination needed to be made as to any areas of noncompliance and possible solutions. Analysis – the possible solutions were analyzed to determine what was technically possible, the technical resources that would be required for implementation, the policy and operational needs to be addressed, and the most efficient manner to achieve roll out within the short time frame. Production – our CIPP prepared a detailed workflow and implementation plan detailing all necessary deliverables, timelines and resources required.
Implementation and Result: Our CIPP assembled the forces including all upper level IT engineers, the COO, CFO, and Directors of Operations. Working closely with the client’s IT department, we assessed the proposed network design, and provided oversight to all aspects of the anticipated approach, providing suggestions about how to proceed, and exercised decision making authority to assist the client in achieving the correct result. We drafted a comprehensive 40 plus page information security policy manual for the client, establishing all written policies necessary to effectuate full in-house PCI compliance. The client used that policy as a guide for constructing its internal operations. We constructed the client’s information security team and drafted minutes, SOP’s, and change control compliance documents for ongoing PCI compliance activities. Finally, we educated the IT and operational teams to enable them to understand the processes required to achieve compliance, assisted in resolving internal conflicts amongst the teams, and deliver a solution that balanced technical, legal and operational constraints.