top of page
2024-11-17 23_34_58-3D abstract digital technology animated green light particles on green
2024-11-18 00_30_25-2024-11-18 00_20_28-Document1 - Word.png _ 121% (Layer 1, RGB_8) _.png

Project: Secure Bank Solutions - (SBS)

PCI DSS Compliance Audit

Objective: The goal of this project was to conduct a comprehensive PCI DSS compliance audit for SBS - Secure Bank Solutions to ensure the security of their cardholder data and identify areas where the company needed to improve in order to meet PCI DSS standards. The audit focused on evaluating the organization’s adherence to the 12 PCI DSS requirements and offering a roadmap to address compliance gaps.

Download my PCI DSS audit here! 

Step-by-Step Breakdown:

1. Initial Assessment & Planning

  • Objective: The first step was to assess the company’s current compliance with PCI DSS. This involved reviewing the overall IT infrastructure and determining which systems processed, stored, or transmitted cardholder data.
     

  • Tools Used:

    • PCI DSS Self-Assessment Questionnaire (SAQ)

    • Discussions with IT personnel

    • Internal network and system documentation
       

  • Process: We conducted interviews with key stakeholders, including the IT compliance manager and security officer, to gather insight into their existing security measures and processes. We then mapped out all systems interacting with cardholder data.
     

  • Outcome: A clear understanding of SBS - Secure Bank Solutions' current PCI DSS compliance status and an inventory of systems handling sensitive cardholder data were established, setting the stage for a more detailed audit.

2. Review of Existing Security Measures

  • Objective: To review the company’s existing security practices, including firewall configurations, password policies, and data protection mechanisms, to determine if they met the requirements of PCI DSS.
     

  • Tools Used:

    • Firewall Configuration Review

    • Password Policy Review

    • Access Control Documentation
       

  • Process: We reviewed firewall configurations and access control policies to assess whether they restricted unauthorized access to sensitive cardholder data. We also examined password policies to ensure they adhered to the PCI DSS requirement of changing vendor-supplied defaults.
     

  • Outcome: The audit found that the company’s firewall configurations met PCI DSS requirements, but password management practices needed improvement, as default passwords were still in use on some systems.

3. Data Encryption & Tokenization Check

  • Objective:
    To ensure that sensitive cardholder data was either encrypted or tokenized when stored and during transmission over open and public networks.
     

  • Tools Used:

    • Encryption Policy Review

    • Data Handling Procedures
       

  • Process:
    We reviewed the company’s data encryption policies and confirmed whether encryption was being applied to cardholder data both in storage and in transit.
     

  • Outcome:
    We confirmed that the company was encrypting cardholder data during transmission, but no tokenization was applied to stored data. This was identified as a significant compliance gap.

4. Vulnerability Management and Patching

  • Objective:
    To assess the company’s vulnerability management practices, ensuring that systems were regularly patched and protected against malware.
     

  • Tools Used:

    • Patching Schedules

    • Anti-virus Logs
       

  • Process:
    We reviewed the patching schedules and anti-virus software logs to ensure that critical patches were applied promptly and that anti-virus software was deployed on all relevant systems.
     

  • Outcome:
    While the company had some patching processes in place, there were delays in applying certain patches. The anti-virus software was outdated, which was flagged as a non-compliant area requiring immediate attention.

5. Access Control and Authentication Review

  • Objective:
    To verify that access to cardholder data was restricted to authorized personnel only and that multi-factor authentication (MFA) was in use.
     

  • Tools Used:

    • Access Control Policies

    • Role-Based Access Control (RBAC) Review
       

  • Process:
    We reviewed the access control policies to ensure that only authorized personnel could access cardholder data and we assessed whether multi-factor authentication (MFA) was applied to sensitive systems.
     

  • Outcome:
    The audit found that access controls were well implemented with role-based access control (RBAC), but multi-factor authentication was not in use, which was identified as a key improvement area.

6. Physical Security & Data Center Review

  • Objective:
    To assess the physical security controls in place to prevent unauthorized access to cardholder data, particularly in data centers.
     

  • Tools Used:

    • Physical Security Documentation

    • Access Control Systems Review
       

  • Process:
    We conducted a review of the data center’s physical security procedures, including access control systems and surveillance practices, to ensure compliance with PCI DSS standards for restricting physical access.
     

  • Outcome:
    The physical security measures were deemed compliant, with restricted access and 24/7 surveillance in place.

7. Final Report and Recommendations

  • Objective:
    To compile a comprehensive PCI DSS compliance report that outlined findings, provided recommendations for improvement, and included an action plan for addressing gaps.
     

  • Tools Used:

    • PCI DSS Audit Checklist

    • Action Plan Templates
       

  • Process:
    We finalized the audit findings, detailing areas where SBS - Secure Bank Solutions was compliant, as well as areas that required further remediation. Each recommendation was prioritized based on its urgency.
     

  • Outcome:
    A detailed report was delivered, including recommendations for implementing encryption/tokenization, updating anti-virus software, and enabling MFA. A timeline for remediation was included to ensure that all PCI DSS requirements were met in a timely manner.

Skills Learned:

  • In-Depth Understanding of PCI DSS Requirements:
    Gaining a deeper knowledge of the PCI DSS framework, especially the detailed requirements for cardholder data protection, encryption, access controls, and vulnerability management.

  • Vulnerability Management and Risk Assessment:
    Hands-on experience in identifying security gaps, prioritizing vulnerabilities, and suggesting remediation actions. This enhanced my skills in performing risk assessments and mitigating data security risks.

  • Encryption and Data Protection Best Practices:
    Learned how to apply best practices for protecting cardholder data, including encryption strategies and tokenization, ensuring that data is protected both at rest and in transit.

  • Practical Application of Access Control Models:
    Improved my understanding of Role-Based Access Control (RBAC) and its importance in maintaining a secure and compliant environment for sensitive data.

  • Compliance Documentation and Reporting:
    Strengthened my ability to document audit findings, provide clear recommendations, and communicate compliance gaps and action plans to stakeholders in a professional manner.

bottom of page