Case Study PCI Compliance Validation and Penetration Testing

July 05, 2018

Case Study PCI Compliance Validation and Penetration Testing

Synopsis
4 Minute Read

The landscape for Canadian businesses is evolving rapidly, driven in large part by technological advances and consumers' growing demands for new options.

At the same time, business change is accelerating, creating more options for consumers — and more complexity for financial institutions. Implementing change and embracing innovation is a must for credit unions, but understanding the complexities of finding the right path forward can be a challenge.

CASE STUDY

PCI Compliance Validation and Penetration Testing

HostedPCI

THE PROJECT

As a Level 1 service provider, HostedPCI manages cardholder processing data and tokenization services for card-not-present transactions on behalf of many high-profile, high volume customers – including Major League Baseball, the Toronto Blue Jays, Six Flags resorts, and Cineplex theatres. Based on a seven-year-long relationship, HostedPCI engaged MNP to conduct their 2017 Report on Compliance – an annual requirement for retaining payment card industry data security standard (PCI DSS) compliance. The project included an onsite certification assessment and penetration testing exercise to ensure the integrity of HostedPCI’s three client service solutions:

Checkout Express Edition – Provides e-commerce merchants with full control of their online checkout pages. Payment Vault Tokenization Module – Fully-integrated solutions between HostedPCI and client payment vaults, which allows token exchange between e-commerce, order management, call centres and customer relationship management applications.

Call Centre Edition – Creates a straightforward path to PCI DSS compliance for multi-channel merchants, allowing them to protect their call-centres from credit card theft.

THE CHALLENGE

Reputation Management

Beyond merely meeting industry standard, HostedPCI’s brand and reputation rely on their airtight record of PCI DSS compliance and protecting their clients’ financial data and information. The importance of this project would hinge not only on whether HostedPCI could retain their PCI certification, but also their effectiveness in identifying and omitting vulnerabilities in their environment.

Dynamic Risk Environment

The risks and threats involved in the PCI environment are constantly in flux. Cyber criminals are constantly pursuing new means of attack. The efficacy of this engagement depended on identifying and eliminating all potential gaps through a comprehensive penetration testing exercise.

MNP’S APPROACH

Identify Success Factors

MNP’s first step was to identify the project goals and create a workplan and schedule for achieving them. These included identifying any gaps in HostedPCI’s payment card architecture that could potentially compromise financial or customer data and compiling a comprehensive compliance report that met HostedPCI’s timeline for attestation.

Knowledge Leadership

Contributing to the project’s timely success, MNP leveraged our multidisciplinary expertise – including a dedicated project manager, penetration tester and certified Quality Security Assessor (QSA). The project manager created a comprehensive workplan, communications plan and engagement schedule to meet HostedPCI’s requirements, while the penetration tester and QSA worked collaboratively to identify vulnerabilities and ensure HostedPCI’s framework met or exceeded the requirements for certification.

Maximizing Facetime

MNP facilitated the HostedPCI team within our local office to conduct the required documentation review and staff interviews. Maximizing facetime with the client significantly expedited the process and allowed for a thorough and effective analysis of their PCI posture.

OUTCOME

Penetration Test Report

MNP produced a Penetration Test Report which outlined all potential vulnerabilities identified in HostedPCI’s PCI DSS environment. The report confirmed that no significant vulnerabilities were present, and that the client would be eligible for PCI DSS certification.

Attestation of Compliance

MNP compiled the information within the Penetration Test Report, staff interviews and documentation review into an Attestation of Compliance, which HostedPCI could then use to prove their status as PCI Compliant and retain their PCI Certification through 2017.

This allows them to continue running a successful, secure business for their customers while maintaining their reputation for providing industry-leading transaction security services.

For more information on how MNP can help your organization, contact:

Danny Timmins
National Cyber Security Leader
T: 905.607.9777
E: [email protected]

Eugene Ng
Cyber Security Leader, Eastern Canada
T: 905.607.9777
E: [email protected]

Tom Beaupre
Cyber Security Leader, Quebec
T: 514.228.7844
E: [email protected]

Insights

  • Confidence
    Man and woman laughing

    June 17, 2021

    Three tips to keep your business insurance effective

    What better way to celebrate Insurance Awareness Day on June 28 than to review your insurance policy – and make sure your coverage – and premiums – are appropriate. Find out more.

  • Performance
    Parliament building with flag

    June 23, 2021

    Tax Alert: Bill C-208 approved, comes into immediate effect

    Bill C-208 allows the intergenerational transfer of certain family businesses to receive the same tax treatment as businesses sold to a third party. Find out how it could apply to you and your business.

  • Agility
    Man working on solar panel

    June 23, 2021

    How to Start the Journey to Sustainable Success for your Construction Company

    If your company’s future borrowing may be impacted by lenders establishing sustainability conditions, here are three steps to start your company on a path to sustainable success.