Implementing PCI policies in a public facing organization holding credit card information is always a challenge which requires careful planning, implementation, and monitoring. Organizations continue to struggle with ever-increasing data sources that need to be monitored and scanned for credit card data and/or Personally Identifiable Information (PII). Policies need to be translated into technical rules and data needs to be continually monitored for compliance with industry standards.
One of Richter’s clients that holds credit card information was having a hard time monitoring its ecosystem and being able to identify non-compliance activities against PCI standards in an efficient way. The client had implemented some degree of manual monitoring; however, the monitoring was at a point in time and was insufficient due to the sheer size and volume of the logs within the environment. Being always one step behind the auditors, the client was tired and needed a more proactive, efficient way of monitoring logs and being alerted to PCI non-compliance before the issue was raised by auditors.
A modern approach to this task was required that could help automate the monitoring of logs and alert client stakeholders as well as the compliance team of any PCI infractions. The client required a set of use cases that could be used to monitor PCI compliance across the enterprise.
Richter helped this client implement a solution using log analytics and Splunk. Richter worked with the organization to determine requirements for PCI compliance monitoring. This solution normalized data from the entire data landscape including PCI assets and then monitored them using use cases through an analytic toolset and machine learning to detect and predict any PCI compliance infractions.
The solution had to be established in such a way where in it segregated logs containing credit card information vs. corporate logs while remaining confidential, not in scope of PCI. This was done to minimize the scope of PCI and to only onboard those PCI log sources that were required to be monitored. Richter leveraged both its team of Risk management professionals as well as its superior Splunk team to map and implement PCI use cases to monitor compliance against the PCI DSS industry standard.
As part of the use cases, the Richter team also implemented a real-time management dashboard to provide quick insight into PCI activities performed, the data sources scanned, and any non-compliance issues detected. Any non-compliance issues noted were then reported via their ticketing tool. In this case, the ServiceNow integration allowed the client to report these issues in a timely fashion to various compliance teams leaving the ‘heavy-lifting’ to Splunk through automation of the ServiceNow tickets. Richter also leveraged enrichment sources within the organization to make the Splunk reporting more consumable. For example, the Richter team integrated other sources of data such as HR data to enrich the Splunk actionable output so that it could be consumed by the required stakeholders and action could be taken on the results.
The organization can now quickly identify the non-compliance issue and assign it to the appropriate team in the organization for investigation and timely resolution. Efficient execution by the team meant the solution would not impact the execution environment and would use existing resources for implementation, while leaving enough room for future growth in log data volume. With millions of log events scanned and monitored, no earlier solution would have matched these insight capabilities. Richter also leveraged the historical logs from various devices in the organization to build Machine Learning models to gain further insight into the posture of the compliance environment. These insights proved to be invaluable as this was visibility into all logs that the organization didn’t have previously – and it is now through one, single glass pane view. Richter’s Splunk team continued to work with audit and compliance teams to establish additional recommendations to enhance both the compliance and security posture of the organization using Splunk. With a clear and objective plan and implementation details the client was able to establish confidence in the solution and progression for future.
Richter’s Splunk technical excellence provided the optimal solution and calmed the clients’ compliance anxiety in regards to monitoring PCI compliance to the required industry standards. By leveraging log analytics and Splunk, Management was more confident than ever in their PCI compliance posture. By combining Richter’s risk management professionals as well as Richter’s Splunk subject matter experts, the bank was able to focus its time and effort on prioritizing the onboarding of the right data sources based on the use cases, prioritizing the highest PCI risks first, and monitoring them through Splunk. This helped to keep overall onboarding costs low to the organization and mitigate any future PCI risks.