PCI Compliance Validation and Penetration Testing

Level 1 service provider

HostedPCI case study

HostedPCI is a solutions provider that aims to give eCommerce companies ownership and control over their data. In order to build trust with their clients, and show how reliable their own privacy-focused offering is, they needed to ensure they continuously stayed PCI DSS Level 1 compliant as an organization.

Services provided

  • Compliance Validation
  • Penetration Testing

As a Level 1 service provider, HostedPCI manages cardholder processing data and tokenization services for card-not-present transactions on behalf of many high-profile, high-volume customers — including Major League Baseball, the Toronto Blue Jays, Six Flags resorts, and Cineplex theatres. HostedPCI engaged MNP to conduct their Report on Compliance — an annual requirement for retaining payment card industry data security standard (PCI DSS) compliance.

The project included an onsite certification assessment and penetration testing exercise to ensure the integrity of HostedPCI’s three client service solutions:

Checkout Express Edition – Provides e-commerce merchants with full control of their online checkout pages.

Payment Vault Tokenization Module – Fully-integrated solutions that allow token exchange between e-commerce, order management, call centres, and customer relationship management applications.

Call Centre Edition – Creates a straightforward path to PCI DSS compliance for multi-channel merchants, allowing them to protect their call centres from credit card theft.

The challenge

Reputation management
Beyond merely meeting industry standard, HostedPCI’s brand and reputation rely on their airtight record of PCI DSS compliance and protecting their clients’ financial data and information. The success of this project would hinge on whether HostedPCI could retain their PCI certification and effectively identify and omit vulnerabilities in their environment.

Dynamic risk environment
The risks and threats involved in the PCI environment are always in flux. Cyber criminals are constantly pursuing new means of attack. The efficacy of this engagement depended on identifying and eliminating all potential gaps through a comprehensive penetration testing exercise.

The approach

Identify success factors
MNP’s first step was to identify the project goals and create a workplan and schedule for achieving them. These included identifying any gaps in HostedPCI’s payment card architecture that could potentially compromise financial or customer data and compiling a comprehensive compliance report that met HostedPCI’s timeline for attestation.

Knowledge leadership
Contributing to the project’s timely success, MNP leveraged our multidisciplinary expertise, including a dedicated project manager, penetration tester, and certified Quality Security Assessor (QSA). The project manager created a comprehensive workplan, communications plan, and engagement schedule to meet HostedPCI’s requirements. The penetration tester and QSA collaborated to identify vulnerabilities and ensure HostedPCI’s framework met or exceeded the requirements for certification.

Maximizing facetime
MNP invited the HostedPCI team to our local office to conduct the required documentation review and staff interviews. Maximizing facetime with the client significantly expedited the process and allowed for a thorough and effective analysis of their PCI posture.

The result

Penetration test report
MNP produced a Penetration Test Report that outlined all potential vulnerabilities identified in HostedPCI’s PCI DSS environment. The report confirmed that no significant vulnerabilities were present, and that the client would be eligible for PCI DSS certification.

Attestation of compliance
MNP compiled the information within the penetration test report, staff interviews, and documentation review into an attestation of compliance that HostedPCI could then use to prove their status as PCI compliant and retain their PCI certification. This allows them to continue running a successful, secure business for their customers while maintaining their reputation for providing industry-leading transaction security services.

Ready to get started?

We’re always looking for new challenges and teammates.