Compliance processes have a reputation for being expensive, time-consuming, and fraught with difficulties — and sometimes certifications are looked upon with skepticism. However, most of the PCI requirements are common sense, best practices that any organization that is concerned with security should adopt. At MineralTree, we use Threat Stack to mitigate security threats. Additionally Threat Stack helps us adhere to PCI requirements and document our compliance.
Let me explain . . .
MineralTree makes the easiest-to-use mobile and online AP automation software for finance professionals at growing organizations. Whether you’re a controller, AP manager, CFO, or other payment approver, MineralTree’s invoice payment processing solution streamlines AP, giving you significant cost savings and unparalleled control in an affordable, integrated platform with guaranteed fraud protection.
Our partner banks and customers expect MineralTree to be PCI compliant to assure that their data is secure. (As you probably know, PCI DSS — the Payment Card Industry Data Security Standard — applies to any organization, regardless of size or number of transactions, that accepts, transmits, or stores any cardholder data.) Despite being a recent entrant into the credit card processing space, MineralTree puts a premium on security and has obtained the most difficult level of PCI Certification, Level 1. A Level 1 certification requires a third-party audit from a certified auditor.
As MineralTree’s Director of Operations, I was challenged with making MineralTree’s processes and procedures comply with PCI standards and pass a PCI audit. To do so, our team set up multiple technologies and services including server configuration management, two-factor authentication to sensitive systems, web application firewalls, NTP for clock synchronization, network and host intrusion detection, log management and archiving, and file integrity monitoring and management. Procedures needed to be implemented to routinely update our risk assessment and vulnerability management. Changes to the application were also required. More stringent processes for managing encryption keys and key rotation needed to be developed and integrated into the MineralTree application.
In the face of all of this work, it was a relief to know how much we didn’t have to do because we were already using Threat Stack’s Cloud Security Platform®.
Here’s why . . .
The Solution: Threat Stack
In order to pass a PCI audit, an organization must demonstrate to the Auditor that they have documented controls they can use to handle cardholder data securely. Any systems inside the network that process or otherwise contain cardholder data are considered to be inside the PCI gap, and require that these controls be applied. It’s standard practice to segregate these systems and networks from everything else as a way to improve security, and it’s also imperative that these involved systems have tools to protect the security of the cardholder data.
MineralTree was already using Threat Stack’s Cloud Security Platform because its suite of security features significantly mitigates risk. As it happens, these same features deliver much of what’s required of a PCI audit:
- Real-time system access monitoring and system user activity monitoring via Threat Stack’s Host Intrusion Detection (HIDS) capabilities
- Ongoing Vulnerability Assessments that allow us to update our systems to the most recent, and least vulnerable packages
- File Integrity Monitoring (FIM) that enables us to ensure the safety of sensitive data by alerting whenever sensitive files are accessed
- The recording and archiving of all related events that can be used if a breach occurs and a forensic analysis is required. (This includes the ability to maintain archived records in a manner that they can’t be tampered with.)
The audit itself was a rigorous assessment that required all relevant policies and procedures as well as technical details and evidence to be documented. Additionally, we were required to demonstrate that the Threat Stack agent does not manipulate or collect any sensitive data, and cannot perform any command and control.
We received our PCI certification.Threat Stack enabled us to meet several PCI requirements simultaneously with one solution, greatly simplifying the compliance process.
Final Words . . .
Our story doesn’t end with achieving PCI compliance — as important as that process was. Security is a perpetual work in-progress.
Threat Stack has continued to add value through innovations and improvements to their platform. Over time, it has become easier to use because of streamlined workflows, modifications to the user interface, and other improvements. They’ve also added a lot of useful features, including a daily report of installed applications with newly identified security issues that need to be mitigated.
Finally, we are very satisfied with Threat Stack. Since implementing Threat Stack, our security stance has been significantly enhanced. After passing our PCI audit, we are able to provide our partners and customers additional assurance that our offering is valuable and secure. And as we have scaled by adding new customers to our growing fold, Threat Stack has scaled with us, ensuring comprehensive security as well as our ability to maintain PCI compliance.