INDUSTRY: Consulting / Services
BUSINESS: The most experienced independent payment cards personalization service provider in Poland. Delivering personalized magnetic stripe, smart, contact, and contactless identity and payment cards.
SCOPE: Warsaw, Poland
SIZE: 35 employees
BUSINESS PROBLEM: Since ELKART provides payment cards personalization services, it must remain compliant with the Payment Card Industry Data Security Standard (PCI DSS). The certified Integrated Management System ELKART implemented requires and mature, systematic approach to the risk and vulnerability management of its IT infrastructure.
OPERATIONAL CHALLENGE: With a small IT team, ELKART needed an automated way to maintain compliance and file PCI DSS-required reports as possible.
- Qualys Cloud Platform
WHY THEY CHOSE QUALYS: Qualys, which helps to create the technical and business reports ELKART needs to reduce risk and to prove its compliance with ISO27001 and PCI DSS.
Elkart: Cost Efficient, Effective Vulnerability Management and PCI DSS Compliance
When this large and growing firm needed a way to keep its systems secure and compliant with the Payment Card Industry Data Security Standard, it turned to Qualys because of its low-cost, high accuracy, and ease-of-use.
ELKART Systemy Kart Elektronicznych Sp. z o.o. is the most experienced independent payment cards personalization service provider in Poland. Delivering personalized magnetic stripe, smart, contact, and contactless identity and payment cards, ELKART is certified with international payments organizations such as Visa International and MasterCard International as well as has the Diners Club authorization. Much of the company’s success is due to the diligence it takes to ensure that all activities regarding personalization data processing are of the highest quality. What is more, as part of its efforts, ELKART has recently had the Integrated Management System (IMS) it implemented certified for compliance with standards ISO 9001 (Quality Management), ISO 27001 (Information Security Management) and BS 25999 (Business Continuity Management).
Since ELKART provides payment cards personalization services, the company must run security scans of their network environment, compliant with the Payment Card Industry Data Security Standard requirements, commonly known as PCI DSS.
The best way to maintain a high level of IT security, as well as comply with PCI DSS, is to implement an effective vulnerability management program. That entails the ability to discover and catalogue networked assets, prioritize those assets according to business value, assess those systems for vulnerabilities and misconfigurations, act to remedy at-risk systems, and then verify that the proper fixes are in place. For its PCI DSS regulatory obligations, ELKART must keep its systems secure and report its level of compliance every three months.
“In the first year that we used it, Qualys proved to be very effective in helping us communicate to our auditors that we are PCI DSS compliant.”
Security Manager at ELKART
Vulnerability Management: Outsource or Maintain In-house
To put into place the most effective vulnerability management program possible, and to prove PCI compliance, ELKART considered a number of options that ranged from hiring an outside vulnerability assessment consulting firm to acquiring the vulnerability management tools the company could use to conduct the necessary assessments and reporting in-house.
After careful evaluation of its options, ELKART selected Qualys. The implementation, aided with the help of a local consultancy, IMNS Polska, took only three working days. During that period, ELKART’s IT specialists were trained on how to use Qualys.
Delivered as a Web service, Qualys continuously updates and enhances the accuracy of the Qualys vulnerability management service and its security checks - without ever requiring any software or manual updates by its customers. Qualys’ dedication to accuracy and quality means that ELKART does not waste time chasing false-positives - an all-too-common problem with software-based vulnerability scanners.
“Since Qualys is automated, and we subscribe based on the size of our network, we can run as many security assessments as we need,” says Hubert Kaczorowski, security manager at ELKART. Qualys is provided as a subscription-based service, so the cost is much lower than hiring outside consultants to conduct scans every three months. Perhaps more important, ELKART now is able to maintain a much higher level of security because Qualys enables the company to evaluate its network almost continuously. This is possible as Qualys provides ELKART with an automated way to achieve many aspects of its IT security and PCI DSS regulatory demands. Qualys gives ELKART, and thousands of other organizations around the globe, a powerful way to protect networks throughout the entire vulnerability management life cycle, including asset discovery, asset prioritization, vulnerability assessment and analysis, remediation, and fix verification. As a direct result of Qualys PCI’s on-demand architecture, there are no additional operational or administrative burdens for ELKART — once deployed, all system maintenance, vulnerability signature updates, and software enhancements are provided directly from Qualys’ Secure Operations Center.
Fully Automated Vulnerability Management and Compliance
“Qualys helps us to stay secure and compliant while also saving us considerable money,” says Kaczorowski. “When you consider how much we would spend for one vulnerability assessment conducted by an outside consultant, Qualys is extremely cost-effective for us,” Kaczorowski adds.
While ELKART is required, under PCI DSS, to conduct and report on vulnerability assessments every quarter, such a minimal number of scans did not provide the high level of security the company desired. “We decided four scans a year just wasn’t enough, and Qualys makes it possible for us to scan much more often to maintain a high level of security,” says Kaczorowski. Through Qualys, ELKART performs vulnerability assessments twice a week: two assessments of its internal systems and two of its external, Web-facing systems. “In this way, we keep our systems well configured and up-to-date with the latest patches. We’re also current with all of our remediation reports, and we can keep our business managers informed as to the current security and compliance posture of our network,” he says.
Since Qualys makes it possible to schedule automatic assessments and then share scan results with multiple groups, Kaczorowski can be certain that only the appropriate operations teams may see the reports they need to keep their systems properly secure and compliant. “As the security manager, I need to be able to delegate remediation work to the IT specialists who manage those issues. Qualys gives me the ability to manage and make certain that the work that needs to get done gets done,” he says.
Turnkey PCI Compliance and Reporting
In addition to keeping its network and systems secure, ELKART must validate its security and compliance every quarter. Qualys PCI streamlines this process, in addition to the network security audits, through an integrated self-assessment questionnaire and compliance report submissions with online certification.
“In the first year that we used it, Qualys proved to be very effective in helping us communicate to our auditors that we are PCI DSS compliant,” Kaczorowski says. In addition, as an approved PCI DSS scanning vendor, Qualys makes certain that the assessments always are current with any changes to the security standard, and reporting always flows smoothly. “Last year, we had an auditor look at our Qualys PCI results for the first time, and he was very impressed with the results and commented on how effective a system it is,” he says.