Simplified PCI Compliance

As this leading direct response management company's credit card transactions grew, so did its need to understand and automate the many aspects of the Payment Card Industry Data Security Standard.

One thing that certainly doesn't come to the top of mind when thinking about advertising and direct response sales is information security. Yet, because Ignite Media Solutions, a marketing services firm, collects and processes payment information for its clients, it must remain ever compliant to the Payment Card Industry Data Security Standard (PCI DSS).

Essentially, PCI DSS requires covered organizations to secure cardholder data that is stored, processed, or transmitted. The standard strives to achieve this through 12 requirements to maintain a sustainable architecture, network monitoring, and creation of a continuous vulnerability management program. That was the challenge faced by the PCI Compliance Team at Ignite Media, who is charged with making certain that Ignite’s two data centers remain not only PCI compliant but secure. One member of the team, Mike DeMatteo says, "For us, PCI compliance was just the beginning. The ultimate goal was a secure and sustainable system," explains DeMatteo. While Ignite doesn't process the actual credit card payments for its fulfillment services, the company does collect the credit card and payment information and forwards it to its client for processing.

"Qualys just pulls it all together, making it so easy that one doesn't have to be an information security expert to attain PCI compliance. It's easy to use, does network discovery and mapping, and its dashboard provides the information we need."

Mike DeMatteo,
PCI Compliance Administrator,
Ignite Media Solutions

The Road to Automated PCI Compliance

Ignite Media Solutions will move up to a Level 1 merchant from its Level 2 status, with multi millions of transactions annually. As a result, Ignite is rapidly deploying the new processes and technologies it needs to maintain cost-effectively a secure and compliant IT infrastructure. "We are automating what we can and where it makes sense," says DeMatteo.

In order to operationalize its IT security and PCI compliance program, Ignite is deploying the tools it needs, such as network monitoring, log management, and file integrity monitoring software while the central solution to these efforts is managing proactively all of the software vulnerabilities, configurations, and security policies of its IT systems. Flaws and systems that fall out of policy make more than 80% of exploit attacks possible, research shows.

To manage and mitigate those risks, Ignite Media turned to approved PCI scanning vendor Qualys, Inc. Qualys is fully certified to help merchants and service providers assess and achieve continuous compliance with the PCI DSS. Delivered as an on-demand Web application with no hardware or software to be installed and maintained, Qualys PCI is an accurate and easy path to turnkey PCI compliance testing, reporting, and submission. Qualys PCI draws upon the same highly accurate scanning infrastructure and technology as Qualys’ flagship solution Qualys — used by thousands of organizations around the world to protect their networks from security vulnerabilities that make attacks against networks possible. It allows merchants and service providers to complete each and every one of their validation requirements.

"Our main focus in selecting Qualys was to attain PCI compliance. We believe the accuracy, thoroughness of scans, automation, and Qualys being an approved PCI scanning vendor will serve us well in achieving that aim," says DeMatteo. In addition, the quality of Qualys’ PCI DSS certification documentation set it apart from its competition. "The documentation makes applying Qualys to the PCI requirements a no-brainer. The other companies I researched didn’t do this; it was like pulling teeth to just find out what PCI requirements the others actually covered," he adds. "Qualys just pulls it all together, making it so easy that one doesn’t have to be an information security expert to attain PCI compliance. It's easy to use, does network discovery and mapping, and its dashboard provides the information we need," he says.

Using Qualys PCI, Ignite can now more easily complete and submit the PCI self-assessment questionnaire online, and perform pre-defined PCI scans on all external systems to identify and resolve network and system vulnerabilities as required by the standard. Currently, once a network assessment is complete, DeMatteo sends the reports to Ignite's network operations teams for remediation. Qualys then makes it simple to validate that patches have been applied properly and successfully.

While the PCI DSS requires quarterly scans, Ignite determined that because of how often its infrastructure is changed and updated, Ignite required the affordable flexibility to run scans as needed and whenever needed. "We are changing things all the time. We must scan after system changes, after new patches are released, and that means that hiring third-party consultants to conduct scans would be too costly and not flexible enough for us," he says.

"PCI compliance is not a one-time deal, it's ongoing. That's why we didn't want to rely just on third-party consultants to conduct our scans. We wanted something we could run and manage in-house that would help us stay secure and compliant," he says.