Company Overview:
Condueit: Weak and Leak (CW&L) started its operations in 2003 as an online marketplace for electronic products. By 2010, CW&L expanded its product offerings, catering to customers worldwide, with a primary focus on North America, Europe, and Asia.
Over the years, CW&L grew in size, reputation, and transaction volume. In 2016, CW&L reached an impressive milestone, surpassing 10 million transactions per year. With this rapid growth and increased customer base, CW&L recognized the growing importance of data security.
However, they had never been through a formal PCI DSS assessment and, thus, were unaware of the level of their PCI DSS compliance. In 2018, a major incident occurred that became a turning point for the company. CW&L fell victim to a data breach, resulting in a considerable leak of customer payment card data, a devastating blow to their reputation.
Non-compliance Phase:
Post-breach investigations revealed several weaknesses in CW&L’s security infrastructure. It became apparent that the company did not comply with several critical requirements of PCI DSS v3.2.1. Their payment card data was stored without proper encryption, they lacked firewall configurations, their vulnerability management program was not robust enough, and there was a lack of necessary security awareness training among employees.
Following this incident, CW&L lost a significant customer base and faced heavy penalties from regulatory bodies, damaging their financial standing.
Transition to Compliance:
The data breach acted as a wake-up call for CW&L. They decided to revamp their security infrastructure and started their journey towards PCI DSS compliance. The company brought on board a new Chief Information Security Officer (CISO) in 2019, who was entrusted with the task of ensuring compliance with PCI DSS v4.0.
Under the new CISO’s guidance, CW&L started implementing significant changes. They established a secure network by installing and maintaining a firewall configuration, ensuring that cardholder data was transmitted across open, public networks securely. They built and maintained a secure system, including protecting stored cardholder data, and developed a robust vulnerability management program.
The company also established strong access control measures, including assigning unique IDs to each person with computer access and restricting physical access to cardholder data. They developed and maintained an Information Security Policy that is communicated across the company and implemented a strong information security awareness program for their employees.
Compliance Phase:
By the end of 2021, CW&L had addressed all their security flaws and successfully implemented the necessary controls as per PCI DSS v4.0. An independent Qualified Security Assessor (QSA) was hired to conduct an official assessment. After rigorous testing and evaluation, CW&L achieved full compliance with the PCI DSS v4.0 in early 2022.
Post-compliance, the company noticed a significant improvement in their security posture, including a decrease in the number of security incidents and improved customer confidence. The journey was a long one, filled with learnings and significant improvements, and it changed the way CW&L perceived and handled payment card data security.
This is the story of CW&L’s journey from non-compliance to compliance. The details of each phase and the strategies used to overcome the challenges will be further discussed in the subsequent white papers and use cases.
The CW&L story is a testament to how data security should not be an afterthought but a fundamental part of an organization’s strategy and operations, especially when handling sensitive customer data.