Case #4: Global ecommerce company cannot upgrade
credit card database
Business
Problem:
This global
ecommerce leader has the most incredible security controls
to protect the ecommerce platform, but cannot upgrade the
database that protects credit card data at rest that contains
security vulnerabilities and does not comply with PCI Section
6.1 for patch management. This highly unusual situation
was validated and confirmed that an upgrade would most likely
cause an operational interruption of service and a
prior upgrade attempt resulted with an interruption.
Timeframe: Four weeks
Budget: $43,700
Biggest Project
Risk: This was a "red-hot" political situation that would
have ended some careers if PCI compliance forced a database
upgrade that would fix a number of vulnerabilities. Not
worth the political battle and costing IT Security their
credibility with the enterprise.
Business Solution:
The most comprehensive set of controls were designed that
functioned as one large compensating control to address PCI
Section 6.1. This highly classified compensating control
involved end-to-end encryption along with asymmetrical network
routing, parameterized database queries, and an
application data access layer to name some of the unique
controls.
Business Results: The compensating control that was
specially designed not only meet PCI Section 6.1 compliance with
rigor of PCI subject matter experts, but prevented a potential
operational interruption of service that would have cost the
companies millions of dollars of lost revenue and intense media
attention.
| |
2012 ConnectTech, LLC All rights reserved
Privacy Statement |
|
|
|
|
|
