Global Security Strategies for Payment Systems

: Home : Gap/Risk Assessments : Systems Remediation : SCADA/PLC Security : Cyber Security Design : PCI Maintenance Program : Health Care Security : CISO : About Us :

Case #6: 3,000 source code vulnerabilities and PCI compliance in 30 days

Business Problem: National jewelry company was using an managed data center provider were IT Security was not a priority for all the applications developed over a period of eight years. No source code scanning was ever performed and the PCI in-scope application which happened to be the primary application, had over 3,000 vulnerabilities and AMEX demanding this jewelry company be compliant in 30 days or be faced with potential fines since the extension request already ran out with self-remediation attempts.

Timeframe: One Month

Budget: $425,000

Biggest Project Risk: Implementing a new network infrastructure in 30 days with no business interruption to overall business. Client could not fix the numerous vulnerabilities with source code regression testing in 30 days. The coding alone would take about 4 full-time developers eight months to fix the source code. Fixing the source code vulnerabilities for PCI Section 6 was not feasible. Client did not have the resources and could not meet the deadline in 30 days even with 30 developers on-site.

Business Solution: After extensive discussions and fixing 75 other PCI findings, the source code issue was a monumental task that had the client feeling they might as well stop accepting credit cards. The client asked for a compensating control. No known compensating control was available for so many PCI findings. After careful research and design meetings, a Web Application Firewall (WAF) was introduced to see if this would resolve a portion of the PCI findings. The first and second WAF that was installed caused additional problems and was not resolving many of the issues. A third WAF attempt was made to get the WAF to filter internal and external network traffic. The new WAF was showing promise of resolving many of the PCI issues. Hired engineers from the WAF company to analyze some of the very difficult source code vulnerabilities and created special firewall rules that protected against the persistent common vulnerability. Performed external vulnerability tests to validate WAF was properly filtering external network traffic. Reconfigured internal connections to PCI environment to ensure system admins would have to go through the WAF and not bypass the WAF. Confirmed the compensating control was being addressed from an internal/external network perspective. About 40 vulnerabilities could not be filtered by the WAF, but were fixed by some code attributes modifications to a module a few days ahead of the schedule.

Business Results: Delivered project within 30 days, and the client was not fined by AMEX. The compensating control that was designed, and the hardware that was used was miraculous. The client will need to fix the source code vulnerabilities over the next year, but it prevented a situation of the client company being reckless with source code fixes that could have impacted the customer buying experience.

Privacy Statement

Read our Business Cases with how we have helped customers

Case #1: Turning an $8M PCI project into $2M

Case #2: Past Mergers & Acquisitions prevented PCI compliance

Case #3: Email link installed malware to hijack bank account credentials

Case #4: Global ecommerce company cannot upgrade credit card database

Case #5: Re-architecting an enterprise to avoid a $30M PCI project

Case #6: 3,000 source code vulnerabilities and PCI compliance in 30 days

Case #7: Entertainment company loses credit cards over wireless

Case #8: Critical business opportunity with MasterCard and gift cards

Case #9: $55M Airline data center migration with PCI

Case #10: Making money with PCI packaged solutions