Congratulations to IPAY88 for getting certified under PCI-DSS Level 1!
The PCI journey had been an interesting one. We did the gap assessment back in late 2013 and had to chase the compliance for 2014. The major roadblock was that first time PCI-DSS companies often underestimate the amount of work and type of audit required. A lot of companies make the mistake of treating PCI as how they treat ISO27001 (ISMS). These are vastly different animals.
For ISO27001, in general, a lot of risks can be justified by management. The idea is to sense that there is a ‘management system’ in place. Not so much of a standard. If the management system claims that counting lima beans for customers in their data centre is an acceptable risk, then it is an acceptable risk. Of course, that’s an extreme example – the ISMS auditor still have a say in that obviously.
However, for PCI-DSS, its 300+ controls, in which if you decide that you want to store credit card data, then all of which will apply to you. There is no “Wait, my management accepts the risk of non encryption and storing PAN in a text file.”.
Precisely, the data here is not the company’s. It belongs to the card brands. From PCI perspective, its a standard that benefits only the card brands – VISA, Mastercard, Amex, Discover and JCB. This is the reason why we don’t have Business Continuity in PCI. PCI does not care whether your business can continue or not, it just cares that the credit card data is safe.
To IPAY88’s credit, they adjusted very quickly. They called us in midway into their remediation and we did a sweep of their infrastructure again and started to put their remediation program in place. Policies and procedures is one thing – but you have a whole lot of other things to do as well – penetration test, VA, firewall reviews, training, risk assessments, log reviews, HR review etc. We chased those down within 2 months and managed to hit the onsite audit in October, and successfully navigated the compliance by December.
A special thanks to IPAY88 management and PCI team for such a collaborative and great experience together! For more information of our PCI-DSS program, please email us at firstname.lastname@example.org.