For any Merchant the impact of not complying with the Payment Card Industry Data Security Standard (PCI DSS) is very costly. There are fines upwards of $500,000 per data security incident and $100,000 per month for non-compliance. Additionally, Merchants are suffering a loss of brand valuation through tarnished reputations when losses or breaches occur. Therefore, the need for companies to remain in compliance is high value both financially and reputationally. But managing to this is in Level 1 Merchants (those with greater than 6 Million transactions annually) has become a serious challenge. Not only is the cost of non-compliance very expensive, the cost for a company to become compliant and sustain compliance has become excessive. Specifically, getting ready for an audit and ensuring that you have either collected everything that the auditors will require access to, or know exactly where to get information or evidence they require at the time of the audit is arduous and time -consuming. Most organizations manage this data in spreadsheets or different tools across the organizations. This manual approach cannot scale to keep up with sustainment needs.
Iceberg PCI Program Manager (IPM) for ServiceNow GRC is an out of the box configured PCI Management solution targeted directly at PCI Level 1 Merchant organizations. It allows organizations to rapidly organize, manage and store annual PCI Assessments by Qualified Security Assessor (QSA). It provides continuous management and PCI compliance reporting through actionable remediation alerts by Internal Security Assessor (ISA) and the team. By readily providing complete visibility into corporate PCI Program compliance status the organization can provide accurate and detailed communication to all stakeholders.
- Iceberg PCI Program Manager addresses the following challenges faced by larger Merchants:
- Proper scoping of all Cardholder Data Environment (CDE) and subsequent validation that the scope has been correctly defined and documented (this accounts for at least 50% of the effort on an annual Assessment by the QSA)
- Organized collection and storage of evidence, including version control, used to support control assessments (this is the second largest consumer of time) Continuous management of controls assessments during the year and leading up to the annual assessment
- Managing the remediation activities to address any gaps, as well as the re-test of the associated controls when not in compliance
- Connecting the ASV scan details with the internal Vulnerability Management Program while having traceable evidence that specific failed scan results are linked to Vulnerability Response activities and re-scan confirmations
- Accurately completing the annual assessment by\for the QSA with specific detail captured on ‘how’ the control was verified
- Program reporting using centrally available active information