The IT Governance, Risk and Compliance Challenge for Retail

Credit cards have increasingly become the payment method of choice which has initiated new opportunities for credit card fraud and identity theft. The fragmentation of the payment process across multiple steps and multiple entities (the merchant, the service provider, credit processing entity, etc.) creates multiple entry points for thieves to access and misuse customer information. The Payment Card Industry (PCI) program has placed significant pressure on retailers to establish solid enterprise level security programs.

The PCI DSS program creates a unified set of security requirements and standards for all credit card types, as defined by Visa and MasterCard and endorsed by other major credit cards. This program provides a clear set of security standards to follow in order to reduce the risk of credit card and identity theft. Failure to comply may result in prohibition from participation in credit card processing programs which could greatly impact a retailer's ability to conduct business.

Costs associated with demonstrating compliance to these requirements can be substantial and those companies that can reduce these costs and transition the compliance effort into an operational facet of their business will be much more successful. Regulations are centered on the identification and definition of controls and the establishment of a solid security process within the organization. The challenge lies in meeting these requirements in the context of the business and clearly articulating control infrastructures. An extensible framework to manage both control definition and regulatory requirements with compliance measurements and reporting is necessary for retailers to efficiently and effectively ensure compliance.

Brabeion for PCI
Brabeion for PCI provides out of the box policies, procedures, standards and controls along with assessment surveys allowing customers to streamline the compliance process, automate assessments and lower test costs by up to 50%.

Brabeion for PCI allows customers to jump-start PCI compliance programs by conducting continuous, automated assessments internally or with 3rd parties and by providing the insight and information required to manage and mitigate risk. Organizations complying with multiple regulations may easily build on their PCI compliance program by later adding content from over 30 regulations including Sox, GLBA and HIPAA, as their IT GRC programs mature.

• Decrease time to conduct self-assessments from weeks to days
• Streamline, automate and lower test costs, analysis and remediation by up to 50%
• Decrease costs of onsite audits by at least 50% with a automated self-assessment questionnaire (SAQ)
• Increase efficiency and accuracy through automated assessments for people/roles, processes and technologies
• Distribute surveys to employees and 3rd parties via web or MS Excel
• Measure compliance with comprehensive PCI dashboards and reports

Brabeion Knowledgebase
The Brabeion Knowledgebase consists of industry-leading, robust content including PCI-specific best practice people, process and technology configuration content. Key components include:

• PCI DSS v1.1 Policies based on PricewaterhouseCoopers standards covering the major PCI requirements
• PCI Standards Council V1.1 Automated Self Assessment Questionnaire (SAQ)
• Role Assessment “checklist” for PCI audit prep with 130 questions in 8 key roles
• Process Assessments covering 182 questions in 12 key processes, based on PCI Security Audit procedures
• Technology Assessments covering a library of over 6000 controls-based questions

Download the Brabeion for PCI Datasheet »

The Choice is Yours
Brabeion for PCI is also offered as software-as–a-service.

Brabeion Solutions:

Brabeion Software solutions eliminate exposure of information security programs to repeat audit findings, regulatory violations and fines protecting brand, customer and commercial relationships. Our solutions ensure audit proven IT security controls maintained by experts including PwC, are mapped to regulations, customized for business requirements and communicated to employees, partners, auditors and regulators. Online dashboards measure and manage business risk, compliance and security program metrics and audit readiness down to the asset level. Our solution reduces the complexity of compliance and the cost of audits across global and heterogeneous environments.