Case Studies

PCI-DSS

Introduction:

A large bank approached Cybernetic Gl for PCI-DSS certification. The bank was facing a huge challenge of achieving PCI-DSS certification due to complexity of the infrastructure and the use of legacy applications. They had engaged one cyber security firm for PCI-DSS implementation support. But that firm was not a PCI-DSS QSA firm, hence the Bank wasted their time as well as money in trying to attain PCI-DSS compliance.

Being non-PCI-DSS certified, the Bank received warnings from the regulators to suspend their banking license. The bank had significant financial risks in terms of fines and penalties.

Challenge:
  • Ex-cyber security firm appointed by the bank had not determined PCI-DSS scope.
  • The cyber security firm had sold various solutions to the bank claiming they were required to achieve PCI-DSS compliance.
  • The bank had vast network of branches, integration with various financial institutions and payment gateways.
  • The client was providing ATM switching to other member banks.
  • The client was violating PCI-DSS principles about storage, processing, and transmission of the card holder data.
  • The client processed huge volumes of transactions which made the protection of card holder data paramount.

Solution:

  • Initial Consultation: Cybernetic GI cyber experts had kick-off meeting with all the stakeholders from the bank. During kick-off meeting, our team took the brief understanding of various banking processes being carried out from Banks main office and other branches.
  • Requested prerequisites: During kick-off meeting, we also advised and requested all the pre-requisites required before commencing the audit.
  • Gap assessment (First round): After reviewing the prerequisites documentation, our team started onsite gap assessment. During this process, our team interviewed various bank’s departments and took detailed understanding of their processes and IT infrastructure.
  • Scope reduction: Based on the gap assessment, we prepared the plan to reduce PCI-DSS scope. We recommended the changes in various processes, handling of cardholder data and LAN segmentation.
  • Presented Scope reduction plan: We discussed the scope reduction plan with all stakeholders and explained them the benefits of it. Some departments had some concerns on the suggested recommendations. We discussed it and provided them alternative recommendation.All stakeholders signed off the scope reduction plan and provided the tentative date of implementation.
  • Documentation: Meanwhile, our team started working on the mandatory documentation required for PCI-DSS compliance.
  • Gap Assessment (Second round): After receiving the confirmation from our client that they have implemented all the recommendations provided in scope reduction report, we performed the second round of gap assessment.
  • Gap Assessment Report: We submitted gap assessment report on the non-compliant requirements along with recommendations.
  • Remote Assessment: After finalizing the scope, our assessment experts, performed internal VAPT, External VA, ASV, Web application PT etc. Post the testing they submitted detailed reports along with the recommendations.
  • Retesting round: We had to perform 3 rounds of retesting to ensure all vulnerabilities have been closed.
  • Final PCI-DSS QSA audit: Our experts walked our client through the audit process and asked them to keep all evidence and access ready at the time of audit. Our team scheduled PCI-DSS QSA audit after discussing with the client. PCI-DSS QSA came onsite and completed the audit.
  • RoC and AoC preparation: After audit, PCI-DSS QSA started writing Report on Compliance (RoC) and Attestation of Compliance (AoC). After QA round, Cybernetic GI released the RoC and AoC. Our client had successfully achieved PCI-DSS certification. The client also learnt for PCI DSS Compliance audits you need to engage companies who are approved PCI DSS QSA by PCI Council.