Search
Under Attack?
Author: Steve Foret

The complexity of achieving and remaining compliant against a very articulated security framework is what makes PCI so daunting. Mention PCI to those who have been through the ringer, and you can see the chill shoot through their spine. Due to this complexity, organizations struggle to determine the ideal strategy to attain and maintain compliance.

Often, the primary strategic goal for organizations is to simplify the business processing environment to reduce the PCI scope. Unless an organization is a bank or a processor, there really is no compelling reason to store credit cards. While exceptions exist, the basic steps–with simplicity in mind–detailed below have been leveraged in dozens of environments over the years.

The Steps

Step 1: Map Flows and Identify Payment Use Cases

In a complex environment there may be several, disparate business teams, payments channels, or models that take payments for goods, services, or donations. Each payment channel will accept some form of credit cards. These use cases and payment channels can be indexed through a basic payment channel table. Map those teams to applications (for collecting, processing or forwarding), technical system locations, and any locations data expects to exist. The Technology owner and Security owner are then identified and associated to the environment for data, technology, security control responsibility.

Step 2: Consolidating Credit Card Processing Intakes

Assess the credit card processing landscape at a high-level to identify the various intake points and enabling technology for targeted way to consolidate transactions into a few easy-to-use processing systems. This consolidation supports streamlined business operations, reduces the complexity of data management, and lays the foundation for robust security measures.

Step 3: Outsourcing Credit Card Processing

The next step reduces the credit card footprint by partnering with PCI compliant third-party provider(s) that enabled outsourcing end to end transactions directly to the organization’s bank. They also provided a tokenization capability for credit card numbers to further simplify PCI. These payment gateways, PTS devices, etc. were all approved by PCI as self-isolating and further reduce PCI scope. This strategic move pushed payment transaction handing to an approved provider with proven security protocols, allowing our customer to focus on their core business of developing cost efficient, innovative healthcare services.

Step 4: Truncating Full PAN

To minimize the remaining risk associated with storing full Primary Account Numbers (PANs), SEVN-X worked with our customer to review the internal data stored and created procedures to truncate the credit card number PAN, retaining only the last four digits. The last four digits are not considered a credit card number and no longer in scope for PCI. This was the last step in this organization to fully migrate business processes from directly storing and handling credit card numbers.

Step 5: Masking Remaining Data

We dove into one last scoping topic which was removing any last data exposure points where end users may see credit cards while using the outsourced payment gateways by employing data masking techniques. By replacing clear visibility to sensitive data with masked characters, unauthorized access would yield meaningless information. This added an important last layer of protection to safeguard patient data.

Step 6: Deploying Controls on the Remaining Scope

With the PCI environment simplified and streamlined, SEVN-X helped in deploying policy, procedures, and technical security controls. This included conducting regular security assessments, vulnerability scans, and penetration testing to identify and address potential weaknesses. We also implemented strict access controls limit to only authorized personnel.

Step 7: Segment, Segment, Isolate

With a clear set of relevant technologies remaining, which happened to be a small population of end user workstations, the final technical task is to isolate (or self-isolate) those systems from everything else. Isolating PCI systems enhances security, simplifies compliance with PCI with a smaller audit scope. Segmentation will require network isolation, strict access control, and encryption to protect these systems. The outcome is now to govern the scoping which includes, vendor device tracking, vendor contracting, regular monitoring, testing and confirmed secure protocols to further strengthen the isolated PCI environment.

A Case Study: A Secure and Trustworthy Payment System in Healthcare

Healthcare organizations face significant data security and compliance challenges when it comes to securing patient payment card information. While SEVN-X has spent years simplifying scoping for PCI, it is not easy.

Through the approach listed above, SEVN-X helped their healthcare customer successfully achieve PCI compliance in a very short, accelerated window. Their commitment to consolidating credit card processing intakes, outsourcing to experts, truncating PANs, masking data, and deploying stringent controls resulted in a PCI-compliant environment that met the highest standards of data security.

Key Accomplishments

During our post-mortem review of the engagement, and from follow-up conversations with the key stakeholders at the healthcare organization, the following positive outcomes were noted:

  • Compliance was accelerated to a 12-month window, however compliance was only part of the story. The organization’s operational risk also decreased by eliminating payment card information that was being unnecessarily stored. 
  • In eight (8) months, years of tech debt was simplified by consolidating to a PCI compliant payment architecture. 
  • In twelve (12) months, knowledge, awareness, and guardrails (key program objectives) were established for operations and management to track and maintain compliance. 
  • In a longer term, outside of 12 months, sustainability became part of the management of the organization through various teams and the collaboration of initiatives related to credit card activities, technology enhancements, and M&A activities.

Lessons Learned:

  1. Centralization is Key: Consolidating credit card processing intakes into a single system simplifies data management and strengthens security measures.
  2. Leverage Expertise: Outsourcing credit card processing to PCI-compliant providers ensures that transactions are handled by specialists with proven security protocols.
  3. Minimize Sensitive Data: Truncating and masking PANs significantly reduce the risk associated with storing full credit card numbers, complying with PCI DSS requirements.
  4. Comprehensive Controls: Regular security assessments, vulnerability scans, and access controls are essential to maintaining a secure environment.
  5. Continuous Improvement: Achieving PCI compliance is an ongoing process that requires constant vigilance and adaptation to emerging threats
  6. Leverage PCI compliant vendors, devices, e-commerce by default: By using compliant parties that you’ve verified meet PCI requirements, you have moved one more step to simplify your environment.

By leveraging specialized expertise and implementing best practices, the healthcare organization not only met regulatory requirements but also ensured the protection of their customers' sensitive information.
Like it? Share it:

You may also like

PCI DSS: What It Is and What It Isn't
PCI DSS: What It Is and What It Isn't
21 January, 2025

What PCI Isn't Let’s dig in. PCI is not easy, but it can be made significantly easier with the right configuration and t...

Read this article

Security versus Compliance… Both Matter, But Why (and How)?
Security versus Compliance… Both Matter, But Why (and How)?
28 January, 2025

Author: Matt Wilson Compliance != Security So make sure they aren't treated as such! Compliance helps your organization ...

Read this article

NIST Cybersecurity Framework 2.0: Protect
NIST Cybersecurity Framework 2.0: Protect
21 January, 2025

Authors: Steve Foret | Mark Keppler Cybersecurity Frameworks Series, part 6 Today, we dive into the third sub-function o...

Read this article