Fast-tracking compliance: How CellPoint Digital achieved PCI-DSS compliance and aced certification audit with Sprinto
CellPoint Digital is a payment orchestration platform to lower costs, boost revenue, and unlock the true potential of payments to drive profitability. CellPoint enables intelligent routing and dynamic reports and analytics to help organizations transform payments. As a leader in this sector, security compliance is a crucial pillar at CellPoint.
Key requirements
A compliance solution to fast track PCI-DSS audit readiness but also enhance visibility into infrastructure and compliance processes, automate infosec tasks, and make the compliance function more organized.
Sprinto solution
- Comprehensive, expert-guided PCI-DSS program implementation supported by automation-led control testing and evidence collection over the Sprinto platform.
- Granular compliance tracking over a centralized dashboard with real-time reporting.
- Common control framework for compliance program mapping and scaling.
PCI-DSS
Denmark
95%
Improvement in compliance reporting
7000+
Daily checks running
>65%
Improvement in audit processes
Ready to get started?
The Challenge – Bringing structure, efficiency, and transparency to compliance
After starting on security compliance at CellPoint, it was clear to Thomas Thomsen, the primary security architect, that internal processes needed a revamp.
Thomas observes, “For the past three years we were using an auditor who was helping us with the evidence gathering. But I realized quickly that their methods were not meeting our standards.”
Since CellPoint handles critical payment data, PCI-DSS is a crucial framework for ensuring security and privacy benchmarks as well as demonstrating CellPoint’s security posture to clients.
Among the biggest challenges when it comes to PCI is grouping and tracking controls continuously to ensure compliance at all times. Streamlined tracking and evidence collection was a big part of the PCI agenda for CellPoint, leading the organization to consider automation-enabled compliance.
For this, CellPoint moved to a well-known PCI-DSS compliance management partner. Despite deploying their agent to integrate their systems and collect evidence, Thomas shouldered the burden of uploading nearly 95% of it himself. “Data collection felt lacking, and the platform was difficult to navigate,” he added.
Inflexible legacy systems and a cumbersome compliance process hindered CellPoint’s ability to streamline compliance, and Thomas and the CellPoint team wanted to change this.
“When you tie into a system, there are some costs and it quickly becomes difficult to change. We started looking at compliance platforms that give you the freedom to go about audits the way you want,” reflects Thomas.
Apart from flexibility, several other criteria guided Thomas’s evaluation of compliance platforms for CellPoint –
- Visibility: Since CellPoint is a large and spread-out organization, near real-time visibility on system configurations, security health, and processes was paramount to ensure compliance guidelines. Being able to track day-to-day compliance was key.
- Automation: For CellPoint, automation was key to streamlining workloads and bringing efficiency to compliance. “I’m always in favor of automating. Taking screenshots of this and that just seems like a waste of time, and once all this is done you have to start all over again for the next audit!” says Thomas.
- Scalability: CellPoint envisioned expanding their compliance coverage to SOC 1 and 2, ISO 27001, and GDPR, after completing PCI-DSS. Their ideal platform needed to support these future needs.
After evaluating Drata and Vanta, cost-effectiveness and platform integrity steered CellPoint towards Sprinto.
Basically what we’re buying from Sprinto is a guarantee. Sprinto’s been used for so many audits already, so the platform’s knowledge is greater than our team combined. If we get, say 95% compliant with Sprinto, we have validation that we’re in good shape.
The Solution – Consolidated controls, accurate tracking, and sweeping compliance
Once CellPoint got Sprinto up and running they could immediately see the gaps in security infrastructure. “We identified weaknesses in device management, identity provisioning, and access controls almost right away,” says Thomas.
Joining forces with Thomas on PCI-DSS audit prep, Frederic Lauret, security architect and decades-long PCI practitioner, was immediately impressed by Sprinto’s impact.
Right off the bat, Frederic could see that Sprinto brought structure to compliance, enabling better visibility and helping ensure alignment with PCI-DSS recommendations. This newfound transparency empowered the team to swiftly address security gaps and configure systems for sweeping PCI-DSS compliance.
I’ve been doing PCI certification for ten years and this is the first time I have something that groups all the information and also checks what should be done. I appreciate how the platform tells us what to do and where we’re sliding so that the certification process is always on track.
Sprinto’s pre-built controls library worked in the background to tie systems, procedures, and policies to controls and produce a clear picture of compliance health on the dashboard. This enabled Frederic to bypass manual planning and focus efforts on tackling compliance gaps.
We have a control summary on the dashboard, and we just have to go through that to fix things a little bit every day.
With a wealth of experience operationalizing PCI-DSS, Frederic specifically wanted a solution to help maintain a state of compliance beyond audits. “People tend to believe that PCI compliance is just for the time of the certification, but it’s not. It’s ongoing and you need to be compliant throughout the year, not once in the year.”
Sprinto’s continuous compliance monitoring capabilities started running six to seven thousand daily checks on CellPoint’s various compliance controls. This real-time vigilance ensured they never veered from compliance.
“The metrics are reported at all times, and if something is sliding, we can see it. If you don’t have someone on board to do this manually, then this is where the tool can help, because you have a lot of things that you need to do over time: checking that your logs are okay, checking your users, and checking that all the components of your infrastructure are configured according to PCI requirements. All those things are automated on Sprinto”, Frederic explains.
Leveraging automation for precision, efficiency, and integrity
Sprinto’s automation helped Cellpoint ensure PCI-DSS controls, consequently strengthening compliance posture and enhancing precision.
Frederic elaborates, “Previously, under PCI-DSS, I only reported on 5-10% of the infrastructure. Now with Sprinto, I can report everything, so our level of compliance is much more comprehensive and precise. It’s not just a daily check on a small subset, but everything, every day. It’s so much more satisfying.”
The CellPoint security team noticed two crucial benefits as a result of implementing compliance automation.
- Reduced scope of work: Sprinto minimized infosec housekeeping, freeing the team to pursue larger security goals.
“We have more margin to operate now that everything’s under control. If we notice vulnerabilities in our processes or if we have to validate some crucial evidence, we have the opportunity to actually consider that matter,” says Frederic.
- Increased integrity and trustworthiness: Automation streamlined control testing and evidence collection specifically, improving compliance throughput at large.
Thomas explains, “Of course, you can maybe take a screenshot yourself or do some sampling here and there, but you won’t have that overview, and you might miss things. When you need to count on yourself the amount of effort is much higher, so from my point of view Sprinto is actually much more compliant and much better than you would be able to do yourself.”
Having secured its infrastructure and processes according to PCI-DSS guidelines and with Sprinto automatically collecting evidence to demonstrate the same, CellPoint felt confident entering its PCI-DSS pre-audit.
If anybody asks me what I did for the company, I’ll point to the Sprinto dashboard and say, this is it. I can demonstrate that we were at 25% readiness before Sprinto, and now we are looking at upwards of 90%: it’s so much better.
The Result – Organized, collaborative, and automated compliance
CellPoint Digital is a Service Level One organization, and undergoes a PCI audit by a QSA (Qualified Security Assessor) once a year.
For its audit with Sprinto, CellPoint utilized Sprinto’s audit dashboard to create an audit instance and share granular, control-linked evidence with their QSA. They could collaborate on-platform, fielding precise evidence requests to systematize the audit process.
Sprinto’s hands-on support both pre and post-audit played a crucial role in helping CellPoint clear their PCI-DSS audit.
Thomas explains, “Sprinto’s guidance was extremely helpful in pushing us to be better during the entire certification process. When you’re strapped for resources, you can’t put a lot of people on a problem, so Sprinto’s support was something we capitalized on. It’s one of the most valuable parts of the tool.”
Large-scale compliance automation at CellPoint has now fostered a cultural shift, tending towards enhanced ownership and collaboration.
Assigning risk and control owners on Sprinto ensures accountability, Sprinto’s automated notifications keep compliance on track and Sprinto’s dashboard enhances overall visibility so everyone involved in compliance can see how well the organization is doing and where to put in additional effort.
“When you have automation, things are easier: it’s easy to delegate and collaborate. In general, I think we’re getting more organized,” remarks Thomas.
The biggest needle-mover for CellPoint, however, was Sprinto’s continuous monitoring.
Thomas elaborates, “Earlier you spent three months taking screenshots of everything. After that, you get your certification, and then everybody goes off to do something else. Now we’re working on it continuously and keeping compliance under control. If we didn’t have Sprinto that would be impossible.”
Empowered by Sprinto’s continuous compliance monitoring, which maintains CellPoint’s controls in the green, the team is confident in taking on SOC 2 and SOC 1 audits next and expediting their next PCI-DSS audit.
“If we had to do these compliances the old-fashioned way, it wouldn’t be possible. I also believe we will be ready for the PCI certification audit in one week compared to several months last year. I believe we can do it!” exclaims Thomas.
CellPoint Digital has successfully brought structure, visibility, and automation to its compliance function, resulting in stronger security guardrails, enhanced collaboration, and significant reductions in effort. However, the team isn’t resting on its laurels, and is looking to keep improving as they take on new challenges and frameworks.
I would say our organization is much more efficient now when it comes to compliance, even if it’s not perfect. We are getting better in steps, and that’s a win for us.