Collectors Alliance Navigates PCI Compliance Standards with Akibia

Collectors Alliance, one of the most trusted names in collecting, is growing quickly. As a result it is building its infrastructure and increasing its security framework to ensure it can accurately meet this growth. One important aspect of this effort is ensuring compliance with industry standards, like the Payment Card Industry Data Security Standard.

The Challenge

According to the Payment Card Industry guidelines, Collectors Alliance is a Level 3 merchant, which is defined as any merchant that processes between 20,000 and 150,000 e-commerce transactions per year. As a Level 3 merchant, Collectors Alliance must ensure PCI Compliance via an external scan of all Internet accessible systems and follow-up quarterly network security scans. The PCI compliance requirement also includes evaluating the organization's security framework against a formal questionnaire. Because of Collectors Alliance's commitment to customer satisfaction and data security, the company wants to understand and ultimately achieve the more stringent requirements of a Level 2 merchant.

Brian Somach, vice president and CIO of Collectors Alliance, turned to Akibia, a Qualified Data Security Company, as well as a leading IT services provider focused on IT infrastructure consulting, integration and support, to conduct the network scan and review Collectors Alliance’s environment against the questionnaire. “On a high level, the PCI requirements are fairly easy to understand, but when you really dig into them it becomes apparent that different aspects of the regulations overlap. You really need an educated and trusted consultant to be able to ensure compliance with the regulations,” said Somach. “Akibia certainly proved capable of helping us.”

The Solution

Akibia undertook a three-pronged approach to the PCI Assessment which included Internet scans, a wireless security review and a review of the self-assessment questionnaire.

The Internet scans and penetration tests simulated a number of potential exploits and malicious threats and attempted to find holes in Collectors Alliance’s web server, firewall and VPN, through which a hacker would be able to gain access to customer credit card data and other important customer information.

The wireless security review examined external and internal wireless access points to understand how these points connect to the internal LAN, which stores, processes and transmits the credit card information. Akibia determined that increased security measures were needed on the access points, such as enabling encryption. Collectors Alliance made these corrections immediately. Another area of concern was the lack of wireless traffic segmentation from the rest of the network. Collectors Alliance is addressing these changes based on recommendations from Akibia. Collectors Alliance uses a wireless system to scan bar codes for product procurement and delivery. It was determined that the configuration of the wireless system that supports the hand held bar code scanners was not in compliance. Akibia made recommendations for configuration changes, and now Collectors Alliance’s wireless network is inline with PCI standards.

“Akibia was able to evaluate our network and determine potential vulnerabilities and the few areas in which we were out of compliance with the standard,” said Somach. “But the added benefit was that Akibia’s team of engineers was able to give suggestions on how to better configure systems to achieve compliance. They had a very sound understanding of our environment as well as the regulations, and helped us to quickly achieve compliance in this area.”

Reviewing the self assessment questionnaire was the third and final step of the PCI Assessment. As a Level 3 merchant Collectors Alliance must review the questionnaire every quarter, and show the company is making steps to achieve compliance in any areas where it is lacking.

The Result

As Collectors Alliance already had a well-configured environment, the company was largely in compliance with the regulations and the assessment proved to be validation for its current system infrastructure. However, areas for improvements were identified, including changes to the wireless network and leveraging secure HTTPS to the access points wherever possible.

As Collectors Alliance grows as a business it will face new and tougher requirements as a Level 2 vendor. Reviewing the self-assessment helps Collectors Alliance understand any additional changes it will need to make as the company expands.

“Akibia was a true partner throughout the assessment, and we were grateful to have multiple, qualified engineers working on our project,” said Somach. “Because Akibia truly understood our environment and technology processes, they made relevant suggestions to fix our few non-compliance issues.