A Success Story of How We Strengthened the Security of a Leading U.S. Bank with Our PCI DSS Compliance Assessment

Company Overview

We recently completed a comprehensive PCI DSS compliance assessment for one of our clients, a prominent retail bank in the United States known for its extensive range of financial services. With a workforce of over 15,000 employees and a nationwide network of branches and ATMs, this financial institution has been a trusted name in providing personal banking, credit cards, loans, and wealth management solutions to millions of customers. In the last ten years, the bank has experienced rapid growth, driven by digital innovation, and has become a leader in the financial industry. Through the introduction of mobile banking apps, 24/7 customer support, and financial loan processing, the bank has set new standards in innovation, customer service, and operational excellence.  

Challenges

With a large volume of transactions processed daily and sensitive cardholder data at stake, our client needed a thorough assessment of their existing cryptographic infrastructure across multi-cloud and on-premises environments. Therefore, they brought us on board to perform an encryption assessment to ensure compliance with PCI DSS standards.  

Our assessment uncovered several critical gaps, which ultimately led to the identification of the major challenges that our client was facing in complying with PCI DSS standards. Specifically, the financial institution struggled to keep pace with the evolving nature of PCI DSS requirements, which had become more strict with the release of PCI DSS 4.0 and the introduction of upgraded password requirements and multi-factor authentication. Aware of these challenges, they turned to us for an in-depth review of their cryptographic setup, and we provided a comprehensive assessment as well as a remediation plan to address them. 

The bank relied on outdated hashing methods to store cardholder data, including the primary account number (PAN), cardholder name, expiration date, and service code. These methods used one-way hashing, which is a cryptographic function that converts data into a fixed-length hash value. While these one-way hashes are irreversible, they were not used along modern security measures, such as keyed hashing or salting, where a unique, random value or key is added to the data before hashing.

This made them vulnerable to brute-force and precomputed attacks. As a result, this approach restricted our client from complying with the new PCI DSS 4.0 standards, which require more secure cryptographic practices to reduce the attack surface area by preventing unauthorized access to sensitive cardholder data.  

We also discovered that several systems were still using outdated, less secure encryption protocols, like SSL, and older versions of TLS (such as TLS 1.0 and 1.1). These protocols rely on weak and obsolete algorithms, such as MD5, RC4, and SHA-1, making them vulnerable to attacks like man-in-the-middle attacks, which could lead to data breaches or the loss of sensitive information. 

We also identified that they were storing their encryption and decryption keys within the same environment, such as the same database or server. This setup was more prone to security risks as gaining access to the environment would allow an attacker to retrieve both the encryption keys and the sensitive data they were meant to protect. This type of configuration could lead to unauthorized access, data breaches, and potential non-compliance with key management practices required by PCI DSS.  

We also discovered that some third-party vendors, such as payment processors and cloud providers, were non-compliant with the necessary PCI DSS security standards. These vendors inadequately safeguarded cardholder information by not using proper encryption and access control. Hence, the data was prone to theft or abuse. PCI DSS 4.0 restricts such practices since it lays down guidelines for protecting cardholder data. Through our encryption assessment, we identified these gaps and highlighted the risks caused by them. 

Moreover, their data retention policies were also weak. The sensitive information used during payment card transactions to authenticate the cardholder information is called Sensitive Authentication Data (SAD). It includes CVV, PIN, PIN blocks, and magnetic stripe data. According to PCI DSS standards, SAD cannot be stored after authorization. Whereas, in our client’s case, this information was not consistently deleted from their databases post-authorization. 

With a clear understanding of these challenges, we proposed a remediation plan to address these challenges and bring them a step closer to being compliant with PCI-DSS standards.

Solution

Our goal was clear: to find security pain points in our client’s cryptographic environment and ensure they complied with PCI DSS 4.0. The primary objective of the PCI DSS guidelines is to protect sensitive cardholder data and minimize risks caused by its improper handling. 

We began our assessment by gathering the necessary information to understand their existing cryptographic policies, standards, procedures, and other relevant documents. This helped us to gain a comprehensive view of their applied cryptographic practices and identify areas for improvement. 

We conducted workshops with identified stakeholders to gain an in-depth understanding of their cryptographic environment and the encryption techniques currently used to secure cardholder data. Additionally, we assessed the effectiveness of key management processes, access controls, and other security measures. We then mapped how sensitive data flows from the ingress to the egress point within the organization’s cryptographic infrastructure. This helped us identify key areas in scope and associated potential risks.  

We established specific use cases, including assessing the security of sensitive cardholder data stored in databases and multi-cloud environments, as well as evaluating its protection during transit. We also reviewed the effectiveness of the Key Management System (KMS) in ensuring secure management, storage, and rotation of encryption keys. Then, we focused on establishing strong and compliant cryptographic controls and policies to enhance overall security.  

This was accompanied by a detailed gap analysis that assessed their existing cryptographic controls, policies, standards, and procedures and evaluated all the crucial aspects of security requirements against the PCI DSS 4.0 standards. The results of this analysis were compiled into a detailed report that highlighted the security gaps, areas of non-compliance, and associated risks and recommended a remediation plan to address these issues. 

We recommended updating their password policies to meet the requirements of the PCI DSS 4.0 standard. Furthermore, we also suggested automated account locking after multiple failed login attempts and secure identity verification for account recovery. We advised the implementation of a password history policy to prevent the reuse of the previous four passwords. This means that a user is not allowed to set their password to any of their last four previously used passwords. 

We also recommended implementing multi-factor authentication (MFA) as per the new policies for all systems accessing the cardholder data environment (CDE), including cloud, on-premises, and remote access systems. With updated policies, MFA now adds an additional layer of security when accessing the CDE. Now, users must authenticate with MFA to access remote systems and then authenticate again when connecting from the remote network to the CDE entry point, such as the bastion host (a server that acts as a secure entry point to internal systems). This ensures that access to sensitive data is tightly controlled.

Additionally, we suggested strengthening existing Role-Based Access Control (RBAC) to ensure users only have access to necessary resources, along with adopting robust key management practices to secure encryption keys and enforce regular key rotation. 

We also suggested adding FIDO-based (Fast Identity Online) authentication for systems with higher-risk access points, such as remote access to sensitive cardholder data or administrative access to critical infrastructure. It uses biometric factors such as smart cards or biometrics instead of traditional passwords to provide stronger, phishing-resistant authentication. Such measures would help the bank expand its security features and meet the requirements of the PCI DSS 4.0 standards.  

Then, we advised adopting keyed cryptographic hashes such as HMAC (Hash-based Message Authentication Code). A keyed cryptographic hash combines a secret key with the data before hashing, making the resulting hash more secure. In contrast to traditional one-way hashing, only the receiver with the secret key can validate the hash, thus ensuring the integrity of the message as well as its source and authenticity. This would also prevent brute-force attacks by making it much harder for malicious actors to reverse the hash and obtain cardholder data. 

Considering the new PCI standards in place, we recommended upgrading the systems to use TLS 1.2 or higher, as SSL and older TLS versions are outdated. This will better secure the information that is being transmitted. 

Additionally, to enhance the security of sensitive cardholder data, considering the client’s cryptographic environment and specific security needs, we recommended implementing a vault-based tokenization technique, which is the process of substituting sensitive data with a unique, non-sensitive token. In this approach, a secure tokenization vault stores the mapping between tokens and the original data, which ensures that even if an attacker gains access to the system, they will only encounter tokens, not actual data. Only authorized systems, such as payment processors with access to the vault, can map the token back to the original data. This method provides an additional layer of protection to the confidentiality and integrity of cardholder data while supporting compliance with PCI DSS requirements. 

We advised adopting a dedicated Key Management System (KMS) to securely store encryption keys in an isolated environment, separate from the data they protect. This would prevent attackers from accessing both- the keys and sensitive data even if they gain access to one environment. Additionally, we advised implementing hardware security modules (HSMs) to manage keys securely, ensuring that they are never exposed in plaintext. 

We reviewed the security practices of the third-party vendors in our client’s cryptographic environment. Then, we recommended enforcing stronger compliance checks, including regular risk assessments and security audits. Additionally, we advised ensuring adherence to PCI DSS requirements through contractual agreements and continuous monitoring. These measures aim to protect cardholder data and achieve PCI DSS compliance. 

As part of our assessment, we also reviewed their data storage practices and identified areas where Sensitive Authentication Data (SAD) retention policies were not fully enforced. These policies define how long data should be stored, when it should be deleted, and how it should be managed to comply with legal, regulatory, and security requirements. To resolve this, we recommended modifying their data retention policies to delete or mask SAD post-authorization automatically. Moreover, we advised introducing regular audits to ensure continuous compliance and minimize the risk of accidental retention.

We have provided a detailed roadmap for each use case in scope with a tactical and strategic approach, which will help the client achieve their desired state to be compliant with PCI DSS. 

Impact  

Our detailed findings and recommendations gave our client a clear picture of their security gaps. We also provided a solid remediation plan to address them. As a result, the organization strengthened its overall security posture, better protected sensitive cardholder data, and ultimately achieved PCI DSS 4.0 compliance. 

We identified and helped them fix critical vulnerabilities in their cryptographic environment, such as outdated encryption protocols and insecure data storage practices. With stronger encryption methods like TLS 1.2 or higher, tokenization, and improved hashing techniques, they drastically enhanced the security of sensitive cardholder data, both at rest and in transit. 

Our remediation plan helped them to align their security practices with the latest PCI DSS 4.0 standards and ensured compliance. This alignment also mitigated the risk of penalties and data breaches that could arise from non-compliance. 

As a result of our efforts, the organization adopted more secure data handling methods, such as tokenization and encryption, which reduced the chances of data breaches by 58%. These upgrades also lowered their exposure to common attack vectors like brute-force and man-in-the-middle attacks. 

Evaluating third-party vendor security practices allowed them to manage their relationships with external service providers more effectively. On our advice, they also performed regular risk assessments and security audits and ensured adherence to PCI DSS requirements through contractual agreements and continuous monitoring. This minimized the potential security risks arising from non-compliant vendors, ensuring greater protection for their data and operations. 

With automated processes in place to handle secure data deletion and account lockouts, our client reduced the need for manual intervention, thus improving operational efficiency. Regular security audits and compliance checks created a streamlined process for maintaining compliance over time.  

By ensuring compliance with PCI DSS 4.0 and addressing key security gaps, the bank reinforced its commitment to protecting customer data. This helped them to strengthen trust among customers, which is a key factor for retaining and attracting new clients. 

In the end, our assessment empowered our client to mitigate risks, ensure compliance, and enhance its security framework, ultimately providing a safer environment for both- the bank and its customers.  

Conclusion 

In an era where trust is the backbone of financial services, our PCI DSS compliance assessment was crucial in strengthening this financial institution’s security framework. By identifying and addressing key vulnerabilities, we provided our client with a practical and actionable remediation plan that helped them to align with the latest PCI DSS 4.0 standards.  

Our comprehensive recommendations, ranging from enhanced password policies to tokenization of sensitive data, have empowered the bank to safeguard cardholder information more effectively. This partnership ensured regulatory compliance and laid the foundation for a secure, future-ready infrastructure. As the bank continues to evolve, it is now better equipped to comply with PCI DSS standard requirements, all while maintaining the trust of its customers.  

At Encryption Consulting, we aim to help organizations boost their security, meet compliance standards, and gain customer trust. Our goal is to assist companies to enhance their defenses and earn the confidence of their customers in this complex world.