How Anedot Found the Guidance They Need for PCI
Anedot’s Director of Engineering, Ryan Kuenneke shares his experience doing a PCI v4.0 assessment and how it contrasts to doing v3.2.1 in the past.
“Everybody at SecurityMetrics responds very quickly when you have a question. There’s always an ongoing dialogue between teams, even in evidence collection, which makes everything easier.”
Ryan Kuenneke
Director of Engineering, Anedot
“I’ve been with Anedot for 3.5 years and am currently the Director of Engineering. I’ve also worked on the Risk Committee, managed data, and performed many of the duties of a Data Officer.”
“This is our third year. We started on PCI version 3.2.1, and then we moved into version 4.0 over the last two years.”
“When I first heard about version 4.0, I knew very little about it. I researched the top ten changes, and that was about it. When it launched, there was a lot of ambiguity about some of the controls’ requirements. I’d definitely say SecurityMetrics helped me prepare for those changes and answered questions about some of the more specific changes.”
“Our environment was already scoped for working on the payment card side of processing. So it was pretty easy to just keep the 3.2.1 certification. But, we were anxious to ensure we are leading the industry as far as making sure
our compliance was in order. So, we went ahead and did
a version 4.0 certification instead.”
“I don’t think it was much harder, and I have to equate that with SecurityMetrics helping us out with version 4.0. I believe we were one of the first 4.0 assessments your team did. Our team and your team were on top of communicating things that were changing and how requirements were unfolding. We got instructions on things that had to be approved and what evidence was needed. The PCI DSS certification process starts months before your actual assessment, so we had a good conversation going and we set expectations for audit timing.”
“There were additional things we had to do leading up to it, like targeted risk assessments. There weren’t template documents on which specific requirements had to be assessed because targeted risk assessments are pretty specific to an environment. So, I talked in great detail to your audit team to find out what kind of recommendations they had for us.”
“SecurityMetrics uses Suralink to collect evidence. Due to our history with SecurityMetrics, we could look back at past years’ assessments and different requirements and what had changed.
The evidence we supplied dramatically changed year by year. Being able to look at the requirements numbered out and seeing what we’d provided previously and what new things we needed to do was helpful. We identified thirty new line items this year compared to last year that we needed to complete. This made evidence collection easier for me as I could quantify what changes we needed to adhere to.
SecurityMetrics also puts the requirement due date on items, which helped us organize changes from a project management perspective.”
“Absolutely, and I already have. Everybody at SecurityMetrics responds very quickly when you have a question. There’s always an ongoing dialogue between teams, even in evidence collection, which makes everything easier.”
.svg)
