CASE STUDY Online Services Website Chooses Accuvant to Provide PCI Gap Analysis and Remediation Recommendations CLIENT’S CHALLENGE The company needed a thorough review of its overall security environment to help ensure that it was compliant with PCI standards in preparation for future audits. It was seeking a trusted, strategic partner that could review its current environment, help identify gaps and deficiencies and provide recommendations for remediation. An online service’s website processes hundreds of credit card transactions each day in many countries. Like most companies, the organization prides itself in creating the best user experience across all platforms, including online and mobile. Part and parcel to that experience is the peace of mind in knowing that customers’ sensitive credit card information is protected. ACCUVANT’S SOLUTION • Regularly monitors and tests networks • Maintains an Information Security Policy The online services company chose Accuvant to perform a PCI Gap Analysis, an intense process that look into the environment’s current state and identifies security gaps. Accuvant’s risk and compliance experts recognized that this company’s environment was unique and required very specific and detailed recommendations based on the organization’s needs and goals. Accuvant’s first step in analyzing this environment was to understand how the client was processing secure information. The baseline analysis also included interviews with security staff directly responsible for information security to help make sure that processes were consistently understood across the team. Accuvant consultants performed physical site walkthroughs, a data center review and an overall systems review to gain a holistic view of the organization. Accuvant started the PCI Gap Analysis by gathering information about the company’s cardholder environments, including current policies, procedures and network diagrams. Accuvant then used the PCI Data Security Standards (PCI DSS) to establish a baseline for the analysis, including control objectives such as how the company: After these standards and expectations were set, the Accuvant team identified gaps in technologies, policies, standards and practices against the PCI DSS. In response to these findings, Accuvant provided the company’s security team with very specific remediation steps and a PCI Compliance Roadmap to secure the environment in preparation for upcoming audits. The roadmap was also intended to help the company eliminate gaps in its overall security program, therefore reducing risk of a data breach. • Builds and maintains a secure network • Protects cardholder data • Maintains a vulnerability management program • Implements strong access control measures Planning and Risk Management Policies and Procedures Compliance Management Team Development Situational Awareness Planning and Management Testing and Assessment Incident Response Monitoring and Operations Business Accuvant has developed a Security Security Strategy Success Matrix to help organizations create a holistic approach to address Technology Threats and Intelligence their problems as part of an overall Defenses and Controls information security program. System Network Endpoint Application Data User Emerging CASE STUDY Online Services Website BUSINESS IMPACT PCI compliance is central to an organization’s credibility and to maintaining a high level of security for its customers. It is important to work with a strategic security partner which recognizes that while PCI is vital to running a secure business, it is not the only piece of the security puzzle. Because PCI standards only address specific elements of data security standards, they don’t address a company’s entire security program. Accuvant understands the importance of a holistic approach, and provides recommendations for this approach to its clients whenever possible. By providing expert documentation based on Accuvant’s evaluation of the environment and its current security posture, the client received a roadmap to PCI compliance and determined what it needed to do to remain compliant. Accuvant’s team made sure that its recommended changes minimized, whenever possible, the impact of the requirements to the processes or technology currently in place. The team also tailored their recommendations to be impactful yet cost-effective. SOLUTION OVERVIEW Organization Size: Over two million users Organization Industry: Retail/Online Services Organization Profile: Online services website Challenge: To create a snapshot of the current cardholder environment, identify and then remediate PCI gaps in preparation for future audits. Accuvant Services Provided • Environment Baseline Assessment • PCI Gap Analysis • Remediation Recommendations Results • Obtained a Holistic View into Current Security Environment from PCI Compliance Standpoint • Identified Areas for Improvement to Remain PCI Compliant • Enhanced Current Processes and Technology Through Accuvant Evaluation 10.14 | F1.1 Accuvant, a Blackstone (NYSE: BX) portfolio company, is the leading provider of information security services and solutions serving enterprise-class organizations across North America. The company offers a full suite of service capabilities to help businesses, governments and educational institutions define their security strategies, identify and remediate threats and risks, select and deploy the right technology, and achieve operational readiness to protect their organizations from malicious attack. Founded in 2002, Accuvant has been named to the Inc. 500|5000 list of fastest growing companies for the last eight consecutive years. The company is headquartered in Denver, Colo., with offices across the United States and Canada. Further information is available at www.accuvant.com. © 2014 Accuvant, Inc. All Rights Reserved. “Accuvant” is a registered trademark of Accuvant, Inc. 1125 17th Street Suite 1700 | Denver, CO 80202 800.574.0896 www.accuvant.com