Customers

Case Studies

• Case Studies
• Testimonials

Case Study 3 - TSC Restarts PCI DSS Audit

Making sense of security standards and accountability in a managed services environment

E-business Coach, Inc., a provider of a hosted e-commerce software products and software-as-a service to a growing body of retail / e-commerce merchant clients, had a good understanding of PCI compliance. They also hired an outside PCI auditor to advise them through the compliance process. But when it came down to questions around a prospective hosting provider over its encryption and access control compliance, Patrick Pitman, CEO of E-business Coach couldn't get a straight answer.

"We got stuck on a couple of hard-to-solve issues where access controls span more than one company, an issue endemic to the managed hosting infrastructure and business model on which we're operating," Pitman says. "We were getting the run-around from our managed hosting company and our independent third party PCI auditor. We turned to TSC (The Security Consortium) for help on the really hard to solve stuff."

With pre-assembled data in its database, along with outside research on the hosting provider's business practices, customer interviews and interviews with the hosting provider's IT team, TSC researchers traced the problems through the service provider's security hierarchy.

"We had questions regarding their security administration process, such as firewalls and IDS, and how they managed log analysis and auditing," says The Security Consortium's CEO, Mark Kadrich. "That led us to ask what kind of encryption, VPN, and authentication methods they were using."

The Security Consortium determined two major discrepancies in the way the MSP handled administrative user log-in that were in violation of PCI Requirement 8: Assign a unique ID to each person with computer access.

"Each of the service provider's administrators had the same username and password for common systems they administered, claiming it was for faster password reset and easier access and administration," Kadrich says. "This is in direct violation of the standard."

Secondly, it was determined that the administrative access system could not support two-factor authentication, which is a requirement for remote administrative access.

"Right now if you have an incident of any size, the PCI board can demand that you become two-factor compliant, and from then on it will scrutinize that compliancy," Kadrich says. "But when we interviewed the IT security staff at the service provider, they said they didn't even know how to become two-factor compliant. To us, that's a major violation of the standard that can't be resolved soon."

Ultimately, TSC brought clarity to the situation by identifying viable options for E-business Coach, including the implications of each option for compliance and the timing of the audit.

Through the process, vendors serving E-business Coach came to understand that their proposals would be scrutinized by TSC, whose no-nonsense style will expose any hand-waving.

With a new understanding of the audit's real obstacles, E-business Coach was able to reach consensus among its internal stakeholders and with its vendors on a path to complete a successful PCI audit.

"For E-business Coach and its vendors, TSC's input meant that practical compromises in business processes and technologies could be made with an understanding of the consequences," Pitman adds. "TSC's on-going assistance will ensure that nothing derails that process as it makes its way through final details."