Loss Of PCI Accreditation

Loss Of PCI Accreditation

THE SITUATION

As a payment transaction company processing millions of commercial transactions each day, maintaining the appropriate accreditation is a fundamental business requirement. Losing the regulatory ability to store and process customer credit card details would be disastrous.

As part of the PCI accreditation process, the company is required to regularly penetration test and remediate any significant issues in a timely manner. This payment processor discovered approximately 100 critical issues in their large suite of applications requiring a large, development remediation project. However, the applications were large, complex and rigid. Changing frameworks and components to fix security flaws resulted in large portions of the functional code being adversely affected.

Nonetheless the project proceeded and 90-day PCI tests and retests revealed little to no progress. After 12 months of remediation and millions of dollars invested, the number of critical issues had increased by 20%. With time and money running out, the company had 6 months to resolve all issues before losing PCI accreditation. The company engaged a large systems integrator, their existing WAF vendor and RedShield.

 

OUR SOLUTION

After review of all providers, the systems integrator and the existing WAF vendor were selected to help resolve the issues.
However, 4 months later RedShield received a call stating that no progress had been made.
RedShield then proposed a shielding trial on their application with the most issue. The company supplied the relevant pen test report and gave RedShield 3 days to address the issues. On the third day, RedShield demonstrated that the shields received passes for 20 of the 22 pen test findings.

We thought we had chosen the safe option with big vendors with lots of capability and specialists. In the end it turns out that due to RedShield’s singular focus on our sort of problem they actually have more experience and capability than the big guys. Thanks RedShield you got us out of a really difficult situation.

THE RESULT

RedShield addressed issues with more than a dozen applications over the next 3 weeks. All outstanding items were resolved. In total, RedShield addressed over 100 items that teams of software developers, system integrator engineers and WAF professional services were unable to resolve. The company passed its PCI audit. Additional issues continue to be discovered and RedShield continues to respond.

February 24, 2020