In this case study, Anedot works with SecurityMetrics to better secure their cybersecurity infrastructure and to reach PCI DSS 4.0 compliance.
One of the trickiest elements of PCI compliance is that the requirements are subject to change, meaning that those who need to comply with PCI often struggle to learn all the new requirements.
Anedot, a software company that helps customers save time and money with fundraising tools, took a proactive approach to adopting PCI v.4.0 and becoming compliant.
Director of Engineering Ryan Kuenneke has worked with Anedot for almost four years. During this time, he has served on Anedot’s risk committee and taken on tasks like data management. In this case study, we will examine Ryan’s experience working with SecurityMetrics to adopt the new PCI v.4.0 standard.
Three years ago, Anedot embarked on its PCI compliance journey with SecurityMetrics with PCI version 3.2.1. With the introduction of PCI version 4.0, Ryan’s team at Anedot was faced with a decision: they could either continue with the familiar version 3.2.1 for one more year or proactively take on PCI v.4.0.
Anedot decided to take the higher, trickier road to compliance with the new standard. Ryan explains their reasoning as, “We were anxious to ensure we are leading the industry as far as making sure our compliance was in order.” Their commitment to customer data protection helped them become more secure while also giving them extra time to iron out any kinks with the new standard.
When Ryan first heard about PCI version 4.0, his knowledge was limited to the top ten changes. The ambiguity surrounding some of the new controls' requirements posed a challenge for his position at Anedot. However, with SecurityMetrics’ guidance, he navigated these changes effectively, saying, “SecurityMetrics helped me prepare for those changes and answered questions about some of the more specific changes.”
Typically, transitioning to a new compliance standard can require a lot more from compliance and IT teams, increasing their workload and requiring a lot of company-wide participation. However, Ryan’s team surprisingly found the compliance process manageable. Ryan found that he didn’t “think it was much harder, and I have to equate that with SecurityMetrics helping us out with version 4.0.”
SecurityMetrics and Ryan’s team maintained open communication, discussing changes and requirements well before the actual assessment. This proactive approach ensured that Anedot was well-prepared for the new standards.
Curious about PCI V.4.0 Changes? Check out this blog.
Preparation for the PCI DSS certification process began months before the assessment. This early start allowed Anedot and SecurityMetrics to set clear expectations of deadlines.
One of the key differences with version 4.0 was the need for targeted risk assessments, which are highly specific to a business’ environment. Ryan found that "there weren’t template documents on which specific requirements had to be assessed because targeted risk assessments are pretty specific to an environment.”
Ryan’s team worked closely with the SecurityMetrics audit team to understand these requirements, ensuring they met all necessary criteria.
SecurityMetrics’ use of Suralink for evidence collection proved invaluable. Ryan’s team at Anedot could review past assessments and track changes in requirements. This ability to look through past audits made it easier for his team to identify new items and to organize the needed evidence efficiently.
"Being able to look at the requirements numbered out and seeing what we’d provided previously and what new things we needed to do was helpful.”
Ryan also discovered that the ability to quantify changes and understand deadlines from a project management perspective made it easy to streamline the entire PCI audit process.
Ryan knows that the relationship between Anedot and SecurityMetrics is built on trust and responsiveness. "Everybody at SecurityMetrics responds very quickly when you have a question. There’s always an ongoing dialogue between teams, even in evidence collection, which makes everything easier.”
The ongoing dialogue between teams, even during evidence collection, facilitated a smoother and more efficient assessment process.
In fact, Anedot’s positive experience with SecurityMetrics has led them to recommend the audit team to other companies seeking PCI compliance.
When asked if he’d recommend SecurityMetrics to other companies, Ryan said, “Absolutely, and I already have.”
Ryan emphasizes the quick response times and the continuous support from the SecurityMetrics team as key factors in Anedot’s successful compliance journey.
Want more information on Anedot’s PCI journey? Listen to the Anedot Case Study.
SecurityMetrics secures peace of mind for organizations that handle sensitive data. They have tested over 1 million systems for data security and compliance. Industry standards don't keep up with the threat landscape, which is why they hold their tools, training, and support to a higher, more thorough standard of performance and service. Never have a false sense of security.™
.svg)
