PCI Certification For A Global Hospitality Chain

PCI Certification and its worth

While most organizations and governments try to recede costs, electronic payments have been an economical solution. It can save transaction time, be less error-prone and flexible to usage. But the query still stays in the pocket – who is responsible for the security and privacy of these transactions? That is where Payment Card Industry (PCI) fosters its control.
Any agency that stores, processes, or transmits cardholder will require complying with Payment Card Industry Data Security Standard (PCI DSS). It consists of 12 major requirements and 200-line subset requirements.

Being PCI DSS compliant benefits enterprises in the following ways: –

Secures resident card data and limits the risk of getting breachedHelps entities to achieve a better security postureOffers a globally recognizable standard to adhere in line with business goalsImprove operational efficiency and customer confidenceReduces data breach costs and hikes organizational fameClient probing for PCI DSS Compliance

The client is a well-known and leading global developer and operator of destination resorts, ultra-luxury hotels and premier residences. Their hospitality chain extends to almost every corner of the world with immense prestige, trust, and fresh perspectives. While traversing boundaries beyond expectations, securing monetary movements to the peak is an utmost requirement.

Requirements of the engagement

With a far-flung hospitality chain and operation exposure in vivid regions, the client requisites for engagement hung to: –

– PCI DSS Compliance Audit/Advisory Support
– Remediation Advisory Support

Challenges

With an extensive scope connected to the engagement process, numerous challenges stood to the forefront: –

Organization approaching for PCI DSS Compliance for the first time.Restrictions to have onsite visit due to COVID-19.Multiple third-party service provider from different time zone was part of the audit scope.A broader scope, extending to numerous cloud platforms managed by diverse teams.Undefined cardholder network scope.Business process enhancements had to made by the organization to handle sensitive authentication data and historic data.Historic data not purged in line with a retention period.Strategy

– The engagement process involved a 3-member team for PCI DSS Audit and remediation support.

A Qualified Security Assessor (QSA) Auditor and Quality Assurance (QA) from the audit service lineA Payment Security Consultant from the consulting service line

– Next, a two-phase audit got performed on the client environment

Phase 1: Initial Audit to reediness check and identification of GapsPhase 2: Final Audit was a complete audit along with validation of gap closures

– Agreed upon audit dates with all stakeholders rounding a detailed plan of audit activities
– Remote assessments over MS teams with screen share
– Created action plans with remediation advice and target dates
– Our consultants kept regular communication with the customer to keep track of gap remediation status with timely advisory support
– Consultant liaising with technical team for control implementation advisory and support from QSA (if required)
– Readiness check before commencing the final audit
– Evidence collection right from Phase 1 to avoid delays during the final audit and ROC preparations

Deliverables

– Delated Initial Assessment report with recommendations
– Report of Compliance (ROC)
– Attestation of Compliance (AOC)

Outcomes

– Close to 30 audit findings got reported from Applications, Database, Network, Cloud Platforms, Servers, Security Operations and Log Management, AV, HR & IT Operations
– The client was able to achieve successful certification in three and half months

How PCI Certification benefited the client

Our healthy PCI compliance services (PCI DSS Audit and Remediation) gleamed benefits for the client in several ways. Due to the service association, the client could redefine their IT policies, strategies, and processes to better peaks. Also, it helped them improve the security posture connected to each system in scope. Moreover, the service engagement resulted in increased customer trust and confidence, which is the most priceless thing for a company, especially in th