As more and more consumers choose to pay electronically and digitally for goods in store and online, merchants and service providers are subject to strict Payment Card Industry Security Standards (PCI DSS) that exist to help protect the safety of financial data obtained via cardholders by merchants, financial institutions or other entities. Organisations accepting or processing payment transactions must abide by the operational and technical requirements set by the PCI DSS.
For our client – a large global retailer – an annual Attestation of Compliance (AOC) was mandated by their bank as part of the PCI DSS assessment. Failure to comply with the AOC in previous years had resulted in significant financial penalties and fees, and was putting the organisation at an increased cyber risk.
Our client is a successful global retailer operating with over 600+ retail stores and more than 12,000 team members across Australia, New Zealand and China.
The client had been given a mandate by their bank as part of the PCI DSS to achieve an Attestation of Compliance (AOC) – a form for merchants and service providers to attest to the results of a PCI DSS assessment.
As well as achieving AOC, the organisation had also identified opportunities to uplift the current cyber security maturity of their people (awareness) policies, data, processes and governance.
Achieving an AOC was essential for the organisation to reduce their risk profile and to mitigate non-compliance financial penalties and fees, which would be applied by card payment brands VISA, MasterCard and American Express. Failure to comply with the PCI DSS requirement meant the
company was facing:
• Non-compliance financial penalties and fees of approx. US$10k/month;
• Elevated risk of cyber breach;
• Additional interest (on top of existing fees) of $500k per year charged to credit card facility due to being a non-compliant L1 retailer, conducting over 6 million credit card transactions per year.
To help guide the organisation in better understanding its current and future environment needs and the necessary steps to comply, the organisation engaged ASG, who scoped and structured a program to assess, structure and remediate the governance, process and technology controls required for it to achieve PCI DSS compliance.
Over a period of 15 months, ASG undertook analysis and scoping of the business in the context of PCI DSS compliance requirements, to develop a business case, which described the level of investment required to become compliant and included: a schedule; deliverables; required resourcing; associated risks, issues and constraints.
The program proposed by ASG was delivered successfully; on time, to plan, and 20 percent under budget.
Working with the organisation, ASG implemented and operationalised:
• 20 new policies to address several significant gaps across the business, not only addressing PCI DSS specific requirements but broader cyber and risk gaps.
• 30 Cyber Security Standards; including Encryption and Password, to protect SRG, their staff and customers.
• Online training campaign for over 12,000 staff to significantly uplift cyber security awareness; reduce the risk profile to staff, the business and customers by introducing awareness of threats, safe practices, processes and policies with which to follow.
• An outsourced Interactive Voice Response (IVR) technology service – to facilitate PCI compliant over the phone payments by customers, partners, suppliers and other businesses.
• Over 70 process controls across the business in: Finance; IT; Retail; Procurement; and HR.
• Self-scan capability for credit cards within the ICT environment. ASG’s work helped the client achieve its AOC and save costs, whilst helping the organisation realise significant operational benefits that are essential to the organisation as it continues to grow and transact in the digital environment.
The ASG team received recognition and an award from the CEO, CFO and CIO who acknowledged the significant value the team added in making a massive transformational difference to the organisation.