CHALLENGE In 2014, Excentus began working closely with major card brands to integrate card-linked offers into their Fuel Rewards® loyalty program. As a requirement of this initiative, Excentus needed to implement PCI DSS, including controls for storing card data. While Excentus was familiar with PCI DSS requirements, implementing them across the organization in a relatively short timeframe would be a challenge. Knowing that time was of the essence and implementation errors would be costly and timeconsuming, the organization sought an experienced partner for help understanding the rigors of the standard and achieving compliance in a timely manner. “Working with Coalfire allowed us to quickly understand and navigate the complex PCI DSS requirements and implement secure solutions that met our business and compliance objectives,” stated Randy Braatz, director of information security, Excentus. Specifically, securely storing card data locally proved to be more challenging and expensive than anticipated. With Coalfire’s guidance, Excentus decided against local storage in favor of a Tokenization-as-a-Service (TaaS) solution, which significantly reduced scope, risk, and implementation effort. “Our prior experience with Coalfire, combined with their ample experience and large presence in the C-store space, was a significant factor in choosing them to guide us through our organization-wide PCI DSS implementation,” said Braatz. “Coalfire serves as an extension of our audit and compliance team. Anytime we need further clarification of a security control requirement or third-party input on a proposed technology or solution, we know we can reach out to Coalfire and get a timely response” RANDY BRAATZ, DIRECTOR OF INFORMATION SECURITY, EXCENTUS APPROACH Coalfire began by leveraging CoalfireOnesm – a powerful web-based collaboration tool – and deep technical expertise to assist Excentus in gaining a clear understanding of the PCI DSS requirements and path toward compliance. Excentus relied heavily on CoalfireOne and Coalfire’s honed methodology to deliver PCI DSS Reports on Compliance (ROCs) for the last several years. Coalfire assembled a strong technical team of Qualified Security Assessors (QSAs) with broad experience across multiple retail system and transaction-gathering environments, and a Coalfire project manager devised a highly organized approach to maintain a steady, responsive stream of communication over the course of the relationship. With the right team in place, and a solid cadence of communication established between Coalfire and Excentus, a block of advisory hours was used by the organization to lay the groundwork for the PCI engagement. To determine specific needs, Coalfire provided advisory services and performed a design review of the organization’s systems configuration. The Coalfire team worked with Excentus to advise on technical and process changes required to implement PCI compliance across the organization. “With Coalfire’s help, we developed corporate security policies and security awareness training programs, in addition to implementing the technical controls PCI DSS required,” said Braatz. After completing the initial ROC, an open line of communication provided the organization with ongoing technical advice on their changing environment. The proactive approach to monitoring and maintaining PCI compliance during the relationship resulted in a strong partnership that recognizes the need for process changes at the organization and the importance of remaining PCI compliant. RESULTS “As a result of Coalfire’s guidance, Excentus reduced the scope, risk, and expenses related to card data storage and achieved PCI DSS compliance in a timely manner, saving millions of dollars and supporting the launch of the Fuel Rewards program for card-linked offers,” explained Braatz.