Building a Proactive Partnership for Data Security & Compliance

For a cloud-based e-commerce company that prides itself on empowering their retail customers to use their flexible sales solutions, data security is serious business. Especially since one of those solutions includes a seamless credit card payment service that stores and processes confidential payment information. Managing payments across multiple channels means facing the persistent threat of sophisticated attacks.

Successful data breaches pose a unique danger to any business, to their reputation as well as their financial health, as fallout from the breach undermines customer trust. With your company’s reputation—and bottom line—at risk, identifying security weaknesses is a high-stakes game. That’s why taking a reactive approach to data security is not an option.

About 3.5 billion people saw their personal data stolen in the top two of 15 biggest breaches of this century alone.

CSO Online, April 2020

Every business that accepts payment cards must meet Payment Card Industry Data Security Standards (PCI DSS) and must conduct an annual audit to verify their compliance. Introduced by card brands in the early days of e-commerce to combat online fraud and data breaches, the PCI standards help consumers and businesses alike to sleep better at night.

Ensuring that peace of mind is why our clients trust RGP, a Qualified Security Assessor company, to perform their PCI services year after year.

Mitigating Risks Across the Entire Ecosystem

“I call it ‘covering your assessment,’” quips Jacqueline Bertram, Director of RGP’s National PCI Practice. And her fear of jinxing our success rate doesn’t make her next statement any less true: “In the over 10 years that I’ve been working with clients, none have had data breaches.”

Tasked with assessing our client’s cybersecurity to determine their risk profile, Jacqueline and her team were able to safeguard their organization by understanding and mitigating risks across the entire payment ecosystem. And by bundling multiple compliance initiatives into one engagement, we provided additional reassurance while saving our client over $30,000.

In addition to the PCI assessment, our team performed SOC1 and SOC2 examinations. SOC, which stands for systems and organizational controls, confirm that the internal controls affirmed by management are in place and working properly.

“By bundling initiatives and organizing one request list for all audits, we could eliminate duplicated efforts,” says Jacqueline, whose eye for finding efficiencies didn’t stop there. With over a decade of experience performing security assessments, she also recognized the opportunity to streamline siloed processes in the reporting function.

The Report on Compliance (ROC) Template required by the PCI Security Standards Council is, objectively, a behemoth. With more than 300 pages of tables to complete, it takes around 100 hours to fill out and five minutes just to scroll through.

Seeing an opportunity for efficiency, Jacqueline created a compliance management framework that auto-populates the ROC Template, eliminating the practice of making multiple requests for the same information, as well as the need to input that same information into multiple places.

According to Mollie Hatten, Project Manager for the National PCI practice, the tool saves about 60 hours per engagement. Our consultants can instead use that time to play offense, anticipating further client needs and hosting quarterly advisory meetings to answer questions about changing requirements.

“If our client is performing upgrades, we let them know whether any controls need to be put into place or any processes will be implicated,” says Mollie. “In this way, we take what can be an intimidating process and make it a bit less daunting.”

Now in the third year of working with this client, we maintain a relationship that more closely resembles a trusted partnership.

“We’re collaborators. They disclose potential gaps in their systems, and we work together to address those areas,” says Mollie. “Through streamlining processes we not only have the time to ensure our clients’ controls are effective, but also have time to remediate problem areas. Our positive relationship with clients hinges on the fact that we believe our job is to nurture that relationship—not just during the audit, but throughout the entire year.”