Security by Design — Meeting PCI Compliance for an Online Retailer

Online Retail Sale

Online Retailer

christopher-burns-Kj2SaNHG-hg-unsplash (1)-min

Online Retailer

The Problem

BlueAlly’s client, an online retailer, had failed both an internal and external PCI DSS Audit for PCI compliance and was paying fines. An additional external audit failure would result in losing their ability to use credit cards with their highly profitable online eCommerce portal. Due to these risks, this project had the attention of the CIO and other members of the C-Suite.

The BlueAlly Solution

It was our belief that no single IT group could solve the issues. The solution was to engage all of the teams in a coordinated, all-out effort to meet the deadlines. This involved having the systems team accelerate the VMware conversion and bringing their network and security operations teams up to speed on the technology. In addition, BlueAlly worked with their compliance and applications teams on the importance of clearly identifying PCI impacted systems.

The Results

The customer passed their PCI audit and created systems, procedures and processes to maintain compliance.

Network Overlay Strategy

The implemented automation reduced elapsed time from 14 weeks to 4 weeks and reduced overall costs by 75%.

Significant Rule Reduction

The immediate output of this process has been efficient in responding to connectivity requests – turning around a standardized checklist-type of document for instructions on patching.

Simplified Attestation and Audit

The network has been incrementally documented as the patch process has gone on – the type of device, the rack/patch panel, and the location has been entered into the port configuration.

Micro Segmentation Bonus

Troubleshooting end-host connectivity is enhanced for the network administrator who now uses a fully documented patch plan for the network.

See the specifics in our PCI Technical Case Study