Your Ticket to Easier PCI Compliance

Beware the breach.

Over seven hundred million data records were lost or stolen in 2015—1,346 every minute and 22 every second. Data breaches are becoming more common, with companies such as Sony, JP Morgan Chase, Target, and Home Depot among the list of well-known corporate victims. Data breaches are a serious threat companies can’t afford to take lightly. They can cost organizations in lawsuits, insurance claims, cancelled accounts, payment card issuer fines, government fines and more, with the average corporate data breach reaching $3.79 million. A breach may even shut down a business entirely—60 percent of small businesses close within six months of experiencing a data breach.

Stay secure with PCI DSS

In order to protect consumer credit and debit card information, credit card companies adopted a set of standards that apply to any business dealing with cardholder data. Meeting these Payment Card Industry Data Security Standard (PCI DSS) qualifies a business to accept those credit cards online.

According to Rodolphe Simonetti of Verizon Enterprise Solutions, “Compliance needs to be actively maintained. It’s a year-round activity. It should be embedded in the normal business process.” However, Verizon’s 2015 PCI Compliance Report found that 80 percent of businesses fail their interim PCI compliance assessment, meaning they are left vulnerable to cyberattacks. The same report revealed that of all the companies investigated following a breach over the last ten years, not a single one was found to be fully PCI compliant.

Why everyone hates PCI compliance

Clearly PCI compliance needs to be part of an organization’s overall security. So why is there such disconnect in so many companies?

PCI compliance can be a complicated process that also runs the risk of becoming quickly outdated, especially for small to medium-size businesses who have just crossed the threshold requiring them to meet PCI compliance. One of the time-consuming compliance requirements involves diagramming all the infrastructure that takes payments. Creating a network diagram that makes sense of all those different nodes and connections can be daunting, and it also needs to be continually updated.

The Lucidchart engineering team was all too familiar with how time-consuming PCI compliance can be. The task used to require two days of devoted attention every year to produce a diagram that becomes out of date almost immediately. One member of the team spent hours digging through Amazon Web Services (AWS) trying to pick out components within the scope of PCI, manually copying data about the systems and determining how they all connect in order to piece together a diagram from scratch. Doing so required finding the information and security rules for each machine, identifying every other machine with which it interacted and then finding that same information for those machines. The alternative to the AWS mining ordeal was to work by memory, but doing so risked serious human error.

How we make PCI compliance easier

Meanwhile, our product development team set out to create Lucidscale. The goal: simplify, simplify, simplify. As part of the process, the product and engineering teams outlined how they would like to use such an integration for mapping out PCI compliance.

The result is Lucidscale—a way to create a network diagram within minutes, even for users who know absolutely nothing about their environment. The engineering team’s two-day PCI nightmare suddenly became a simple task involving only a few minutes and far less manual effort. Instead of wasting precious time going back and forth between AWS and their own diagram, the engineering team now imports their AWS architecture directly into Lucidscale. A shape library populates, and they can drag-and-drop any piece from the imported list. Each piece dropped onto the Lucidscale canvas includes its name and its relationship to other components. By simply clicking a node, the team can view all of its connections. The tool even pulls in metadata, providing valuable information in areas beyond PCI, such as IP address, port information, instance ID, availability zone and launch time. The simplicity of the process reduces the likelihood of human error.

The rules of PCI apply to a particular subset of users and machines—only those potentially affecting the security of credit card data. Most companies are unclear on how to define what is part of that subset. With Lucidscale, the engineering team has a visual representation of all nodes, allowing them to clearly identify what is within the scope of PCI and what is not. Companies save both time and money being able to accurately determine what must be included because there are fewer nodes and users involved. What would normally cost a company at Lucid’s compliance level up to $41,000 in assessments and $81,000 for compliance, now costs Lucid only $2,000. By using Lucidscale, our engineering team made small-scale changes that avoided impacting more parts of our infrastructure and systems than absolutely necessary. They didn’t have to focus on many services within Lucid’s environment, reducing the complexity of Lucid’s compliance.

You can’t secure what you don’t understand

Without the right tools, determining what PCI compliance involves can be difficult to comprehend; however, Lucidscale helps make sense of all the complicated information. With a visual representation of PCI, you can easily identify weak spots and determine where controls should be put in place to maintain a secure environment. Systematically created, your diagram is more accurate and not prone to human error. When a new employee joins, they can reference an up-to-date diagram. Thanks to Lucidscale, our engineering team gained back precious time and saved the company money, all while staying PCI compliant.