The challenge
There aren’t many jobs where your prospective employer checks you’re not on the FBI’s most wanted list before employing you. Yet this is exactly what Polestar Applied Solutions, the direct and transactional mail division of Polestar UK Print, does for everyone it takes on.
In fact this is just one of the highly stringent measures the company takes to protect its customers’ data. Banks make up a large proportion of the company’s customer-base, and the firm deals with large amounts of customer credit card data.
For this the information security standard ISO 27001 is a must. But the firm decided, four years ago, to go one step further and become Payment Card Industry Data Security Standard (PCI DSS) accredited. This, as compliance manager Vincent Wrenn explains, is no mean feat.
The method
“ISO 27001 is a company-wide, industry-recognised information and security standard. PCI DSS is more specific, and is concerned with the protection of cardholder (payment card) data. Therefore there are specific and stringent requirements of this standard,” he says.
A good example of that is Polestar’s approach to CCTV recording. “Some standards or customers may require you to have CCTV. However, PCI DSS can be more specific, and in this case is, so we are required to have CCTV and keep footage for a minimum of 90 days,” says Wrenn.
Other physical security procedures in place include eight-foot-high perimeter fences, swipe cards, zones where only certain personnel can gain access, and visitors all signing confidentiality agreements.
“Mobile devices are just not allowed in secure areas. No devices that you can copy information onto, like USB hard drives are allowed onsite,” reports Geoff Mordt, managing director at Polestar Applied Solutions. He adds that employee spot checks are carried out to ensure no one flaunts this rule.
“You couldn’t bring a USB stick in and plug it into our system, it would be rejected. If you bring in a non-company phone and plug it into your system you wouldn’t be able to copy information to or from it, even company mobiles can only sync contacts,” adds Rhys Burkitt, the company’s IT systems administrator.
Then of course it’s the arguably even trickier process of ensuring not just physical but logical, or rather electronic, data security.
The most important thing, says Mordt, is that Polestar’s PCI environment isn’t internet facing. “All PCI DSS customer data is over point-to-point connections direct with customers, and the same to our secure remote data centres. One is a live current working data centre and that is connected via a hardline to the production environment. And there’s another data centre, connected in the same manner – used for business continuity and disaster recovery.”
Then it’s a case of ensuring that all software licences are up to date. “All software is in date and fully supported. Software support is essential so you can receive patches, and keep the systems secure from known vulnerabilities,” explains Wrenn.
“We work with the software and hardware vendors to ensure we’re notified as soon as patches become available. Once they are available, we test them immediately and put them in live as soon as possible.”
The company runs regular tests itself to check for vulnerabilities. “We do internal vulnerability scans once a quarter,” reports Wrenn, adding: “Rhys and other people in the department go on regular security-related training. For instance, Rhys has been on an ethical hacking course, in order to better enable him to improve the protection of our own systems.”
Of course not all employees are sent on quite as intensive training, but the recruitment and training process is still extremely rigorous. “There’s a global sanctions test,” reports Wrenn.
Unfortunately this does mean that the business has on occasion had to let people go. “We term it ‘zero tolerance’ to anyone stepping out of line when it comes to security,” says Mordt. “Unfortunately, sometimes only when people see that kind of reaction from managers do they realise how important this is.”
All of these strict adherences have, of course, to be proved come audit time. The company is audited for five days every December by an external auditor with PCI DSS Qualified Security Assessor (QSA) accreditation and there are 12 different sections Polestar needs to score 100% on. “I think there are around 300-400 different things you need to show evidence of for the PCI DSS QSA’s to be able to do the full five-day audit,” says Wrenn. “After the last audit we got a 222-page report explaining all the evidence we’d given and how each of those levels were passed and compliant.”
This of course gives a clear indication of how rigorous a process this audit is. “Take the screening process, for example,” says Wrenn. “So the auditor would ask ‘Do you have a process in place?’, and we say ‘Yes, we have a process in place, here are the details’. I would then show him our employee screening process, which we have written down. He might then ask ‘Have you taken on any new staff this year? Okay, what did you do with your new staff?’ and we’d say ‘x’ and ‘y’.
“All areas require evidence which is either documented, obtained from observation or interview. If something is not in place at this point, you fail the audit.”
Wrenn adds that this process also involves the auditor interviewing employees and testing them on their knowledge of security procedures. And on the cyber-security front, the company must submit to an external quarterly software penetration scan to by an Approved Scanning Vendor (ASV) achieve accreditation.
The result
The result for Polestar Applied Solutions is production and data processing environments that have card data security at their very hearts.
Mordt explains that this isn’t the kind of accreditation you can just prep for furiously directly before the annual audit.
“You need to be able to demonstrate all disciplines are maintained on a daily basis, because you need to provide evidence that the way you run your business over the year between the audit periods, meets the standard required,” says Mordt.
The real challenge, then, is ensuring such a stringent ethos permeates all processes at all times, no matter whether the job being processed is sensitive or not.
“Some of our customers demand this, some don’t, but you cannot run a manufacturing plant with two different business mentalities,” says Mordt. “You can’t say ‘Here comes a regulatory job, let’s apply the revised PCI discipline. Here comes a direct mail job so let’s apply the old procedures’.”
And actually, the fact the division is one of only a few suppliers that are PCI DSS accredited is attractive even to those clients who don’t necessarily need it, making the hundreds of thousands of pounds it cost the company to overhaul its processes four years ago, and the tens of thousands of pounds it costs to maintain and pay for the audit and quarterly penetration tests each year, well worth it.
“Even where we’re doing work for customers where we’re not managing credit card data, the knowledge we are PCI DSS accredited gives clients great peace of mind,” says Mordt, adding that the fact Polestar has the QSA-approved and audited version of the PCI DSS rather than the self-audited version also available, makes the accreditation particularly attractive to customers.
The company is in a good position, then. It has boosted the number of transactional, financial mailing customers on its roster, so that today business is split nicely between this type of client and direct mail customers, with turnover boosted to where it stands, at £20m, now.
But none of this has been without extremely hard work. Mordt says: “If you’re not prepared for a total cultural change within your business and to invest, then it won’t come your way. So it comes with a price tag and it comes with a serious cultural change for your business.”
VITAL STATISTICS: Polestar Applied Solutions
Location Nottingham and Dunstable
Inspection hosts Managing director Geoff Mordt, compliance manager Vincent Wrenn and IT systems administrator Rhys Burkitt
Size Turnover: £20m (Polestar Group turnover: £250m)
Established Polestar Applied Solutions was set up in 2000. Polestar Group also comprises Polestar Bicester, Chantry, Colchester, Petty, Sheffield, Stones and Wheatons, producing a wide range of products, including magazines, brochures, directories, catalogues, posters, calendars, annual reports, invitations and tickets, across the group
Products Transactional mailing including white paper solution mailings, direct mail, transpromo mailing, hybrid mail, e-billing, and other cross-media communications
Kit Canon JetStream 2200, Canon ColorStream, four Canon VarioStream 8650, Canon VarioStream 9000, two Canon VarioPrint 5160s, Xerox iGen 3, Riso ComColor 9510, two Pitney Bowes MPS 26s, two Pitney Bowes MSEs, CMC 9000 Inserter, four CMC 400 inserting lines, four CMC 250 inserting lines, two Buhrs BB300 inserting lines, two Tecnau Dynamic Perforators
Inspection focus Achieving and maintaining the Payment Card Industry Data Security Standard
TOP TIPS
To be successful, the PCI DSS accreditation must permeate all aspects of the business, even when non-sensitive data is being handled. “What it’s done to the business, is that all of the procedures have had to change. That was actually a challenge; it has taken some time to drill all the way down to everyone in the business. You just have to run on one discipline,” says managing director Geoff Mordt.
Be prepared to invest. Polestar estimates it spent hundreds of thousands of pounds in the initial overhaul of its procedures. The audit itself costs £10,000-£15,000 (£20,000 once quarterly software penetration tests are factored in).
Realise that an independently audited PCI DSS is about hitting standards to the letter, every time “There is a requirement that you get 100% pass or nothing – you can’t get 99%,” says IT systems administrator Rhys Burkitt, adding: “We’ve had a penetration tester come in before and he found what’s called a ‘zero-day vulnerability’, meaning it’s brand new, no one knows about it. So this is how good these guys are. They’re not looking off a list and going through pre-defined scans.”
Keep very abreast of new potential cyber threats. “People like Rhys are linked into various forums and information centres that will send him alerts about things happening out there in the cyber world,” reports compliance manager Vincent Wrenn.
Ensure all staff are aware of just how important strict security procedures are through a rigorous recruitment process, regular, thorough training, and letting go anyone who won’t, or can’t, adhere 100%.