In a previous article, we discussed the changing regulations and compliance issues affecting organizations that process or transmit credit card information.
While most every company that process online credit card payments have placed a lot of effort and time into becoming compliant with the Payment Card Industry Data Security Standard (PCI DSS). Many do not put as much effort into the challenges that they must meet on an annual basis which is to remain compliant.
Of the many compliance requirement challenges one of the most laborious and time-consuming tasks is the quarterly PCI compliance scan.
What can go wrong will go wrong
The organization, a large multi-national, was facing similar challenges that many organizations face on a quarterly basis, and that is to ensure that they not only run the quarterly PCI compliance scans on time, but they also need to run the scans error-free.
The PCI compliance scans which took the organization more than 10 hours to complete were usually run on the evening of the second Saturday of the third month. This enabled the IT team to collect the data and do a preliminary analysis for errors when they arrived for work Monday morning. If all went well, they would have ten days to complete the reports.
Problems began to arise after the second month when the person tasked with running the report forgot to schedule it in Outlook and then forgot to run it that Saturday night.
The problems were further compounded when on numerous occasions failure errors were discovered in the initial review, resulting in incomplete scans. The problem was made all the worse by the fact that they would only know of these errors only after the scan was complete, usually only on the Monday morning.
Finally, the IT team objected to having to spend portions of their weekend setting up, starting and monitoring the scan.
The organization worried that if this trend continued that they would be classified as being out of compliance with PCI DSS. They also were concerned that this quarterly scan added unnecessary pressure upon their already overburdened IT department.
Automation and managed services
An analysis of the situation revealed that the organization faced three significant challenges with regards to the quarterly compliance scan:
- Ensuring the scan was performed on time;
- Making sure that the report was run successfully before the IT team arrived on a Monday morning;
- Taking the burden off the internal IT team members.
To address the on-time challenge the team from Stack8 developed a PowerShell script to help automate the quarterly scan. Based on the organization's requirements the scan could be scheduled to run automatically anytime day or night and far in advance.
“As long as the server is running the scans will begin on time.”
To alleviate the second challenge a fail-safe mechanism was added to the script. In the event of an error, the team from Stack8 would be notified automatically by email as to any problems as soon as it occurred. By being informed right away, the team could troubleshoot any issues to ensure that the report was ready on time and error-free when required.
The PowerShell script was also developed to be multi-purpose. As a result by changing specific parameters, the script could be customized to perform an unlimited number of other types of scans.
For the third challenge, the organization decided that the quarterly PCI compliance scan would be better served if outsourced as part of a managed services offering. They were pleased that this helped to unburden their internal IT team and that no matter what, they would receive the report on-time and error-free.
The organization also took advantage of the customizability of the script, deciding to utilize it for several other scans required for their specific regulatory compliance issues, further removing some of the burdens of the internal IT team.