Trusted Client, Financial industry


Security Assessment, IT Services


May 30, 2011

Project Budget


Project length

2 months

Project Details


A national financial industry organizaton with a centralized organization operating in 7 countries cross the Nordic and Baltic reigions was subject for annual Payment Card Industry/Data Security Standard (PCI/DSS) assessment.   

The overall organization consist of 10 data centres where payment transactions were card data was transmitted, processed and stored. The work was seperated into 10 sub-projects where each data centre was assessed alone. They all shared main processes and payment gateways but each data centre stored their own data to adhere to each centres local Law. The goal for the project were to prepare the organization for their annual audit and PCI/DSS assessment. 


The organization had several seperate architects and blue print that needed to be consolidated to provide an overview of data transfer that included all network, firewalls, gateways, systems, databases and storage environments. 

In addition the organization needed help to create a plan for IT-environmental progress towards external PCI/DSS compliance covering all locations inside the organizations scope. As of deliverables, a draft Report Of Compliance (ROC) was required to provide a proper understanding of the current posture and maturity. 


In order to ensure a consistent approach, the project was run in all 7 countries simultanesously. 

Each country was assessed as for their current network, firewall and gateway usage compared to the PCI/DSS requirements. Where discrepancy existed, the network firewall and gateways used where either replaced, re-configured ot migrated to adhere to existing valid network, firewalls and gateways for secure transmissions. 

  Payment Card Data Security 

  for Bank and Finance Industry

Do you need similar expert help?

Contact Fogel Consulting through the contact form to receive further information and possibility to present your own case and business needs.


The overall set of completed deliverables included a ROC covering PCI/DSS Version 3.1 requirements for: 

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks

  5. Protect all systems against malware and regularly update anti-virus software or programs

  6. Develop and maintain secure systems and applications

  7. Restrict access to cardholder data by business need to know

  8. Identify and authenticate access to system components

  9. Restrict physical access to cardholder data

  10. Track and monitor all access to network resources and cardholder data

  11. Regularly test security systems and processes

  12. Maintain a policy that addresses information security for all personnel

The project achieved identifying client specific PCI/DSS  compliance issues, remediation planning and documentation of supporting processes, tools, and evidence for audit purposes in alignment with Global payment industry policy. Activites that were identified in need of re-design, an architectual change or, to be replaced, was summarised into a new post audit project for completion within 90 days of assessment end.