Securing business data

Nationwide UK retailer

Building a secure foundation in a practical and pragmatic way. How one of the UK’s biggest retailers achieved PCI compliance and saved £3million with CNS Group.

Small-UK Nationwide Retailer


The finance team at one of the UK’s largest retailers, was tasked with making the company PCI compliant in order to meet requirements set out by the banks. Backed by the board, the retailers instated a PCI Programme Manager-the aim- to achieve the highest standards of security in order to protect the data of their thousands of consumers, making millions of card transactions daily to buy their goods. The business wanted to take a pragmatic approach to the project, making sure it worked across the multiple physical and digital sites they run.

UK Nationwide retailer - building


Client Overview

The large retail plc operates thousands of outlets and has tens of thousands of employees. With its extensive portfolio of products and lines, the company is structured around several divisions with over 20 businesses.

Although there is no distinctive ROI on the instatement of PCI, the most important thing for the retailer when considering compliance, was to ensure they were meeting the highest security standards when dealing with cardholder data across their networks and sites. The company also wanted to negate any risk of fines for non-compliance, as well as avoiding the compromise of client data and ultimately the irreversible reputational damage that results from breaches. 

‘The benefits of PCI compliance are all about de-risking the environment from a potential hack of card holder data.’

PCI DSS Programme Manager 


The Challenge

The UK based retailers needed to obtain PCI compliance across the entire group and its multiple digital assets. Having initially begun this process with another company, things had become very complex and the retailers were not able to see an end in sight to achieving PCI compliance. The project was becoming over bloated and lacked defined boundaries. At this point, the company’s PCI DSS Programme Manager recommended that they engage with CNS Group, having had experience of working with CNS in a previous role. The project lead in conjunction with the board reviewed their existing QSA, weighting them against CNS, and collectively made the decision to continue their journey to PCI Compliance with CNS Group.

‘I find CNS to be pragmatic and accommodating, using history and experience to provide guidance on the best solution, as opposed to being rigid and black & white in their approach’

PCI DSS Programme Manager

There were a number of challenges along the way, however, one of the major ones was around scope. When it came to call recording, and taking calls the retailers needed to understand what was in scope and out of scope. One part of this involved addressing business process regarding call recording. The other challenge was one of technical scope, around monitoring and logging details and where the boundaries lay with this. 

CNS has created a new anti-phishing 24/7 service to respond to Metro Bank’s aim. Rather than putting an automated, but ineffective, process in place, 

The project needed to:

  • Take into consideration the scope of the business
  • Redefine the payment strategy
  • Set boundaries for logging and monitoring of calls and payment pages
  • Meet Payment Card Industry Security Standards Council standard
  • Deliver the highest levels of security for card holders.
UK Nationwide retailer - building2


The Solution

The project was complex in scope as well as delivery. To meet the stringent PCI compliance standards, The CNS Lead QSA conducted an initial gap analysis to fully understand the retailer’s assets and their current security standing. This initial analysis enabled CNS to scope the project effectively, understanding where the boundaries needed to be set in order to get the client to full compliance across their all of their branches and multiple websites & domains. 

‘One of the biggest challenges when it comes to PCI compliance is the vagueness of the standard, so one example would be the piece around monitoring and logging, it’s something that can be open to interpretation. It’s the interpretation of those standards that CNS were able to help us with, in order to deliver the right solution

PCI DSS Programme Manager 

Once this had been defined by CNS, the retailer was able to put together a roadmap and practical plan - overseen by CNS -which could effectively be implemented.

CNS Group's QSA provided guidance on a solution that:

  •  Redefined the payment strategy ensuring the retailer no longer took payments and posted them directly to the bank. This was achieved by using iFrame and or redirects to increase layers of security and meet with outlined standards
  • Maintained the security of systems and applications. This included discovering newly identified security vulnerabilities via alert systems. As well as monitoring and updating systems to accommodate any security vulnerabilities.
  • Introduced policy that addressed information security. Policy included all acceptable uses of technology, reviews and annual processes for risk analysis, operational security procedures, and other general administrative tasks.
  • Outlined how card data being received over the phone should be recorded, this meant introducing measures for suppression as opposed to encryption
  • Changes to business process and technology ensured the retailer’s governance framework mapped to PCI requirements.

This included authoring and re-writing policies and procedures and introducing technologies to ensure the reflection of PCI requirements, such as:

  • Ensuring secure networks including comprehensive firewall configuration to protect cardholder data
  • Negating the use of vendor-supplied defaults for system passwords
  • Ensuring protection of stored cardholder data
  • Ensuring encryption transmission of cardholder data across open, public networks
  • Confirming regular updates anti-virus software or programs were in place
  • Ensuring that maintenance of secure systems and applications was in place
  • Restricting access to cardholder data by business need-to-know
  • Making sure unique IDs were assigned to each person with computer access
  • Restricting physical access to cardholder data
  • Ensuring tracking and monitoring of all access to network resources and cardholder
  • Maintaining a policy that addresses information security for employees and contractors


Key Business Benefits

The retailers were able to meet the requirements of PCI compliance across all of their sites and multiple digital assets with the help of dedicated QSA partners, CNS Group. 

As a result of engaging with CNS Group to implement their PCI Compliance, over the initial company chosen, the retailer saved £3 million.

‘That’s why getting the scope right is key! CNS coming in with their expertise and providing guidance on the scope meant that in the end we paid half of what was initially outlined, cutting the initial project cost buy up to 50%.'

PCI DSS Programme Manager 

The benefit of achieving compliance for the company has also meant de-risking their entire environment from a potential hack of card holder data. The retailer’s environment is now compliant and the risk of breach of card holder data is hugely diminished. 

Achieving PCI Compliance proves that this industry leading retailer has done everything they can to ensure the safety and security of their customers' payment card data, mitigating much of the risk of potential vulnerabilities, reputational damage, brand damage and loss of customer confidence.

PCI DSS compliance also provides an advantage in the maintenance of customer relationships. By complying with the standards of the PCI framework, the retailers have demonstrated the high value they place on security, enabling their customers to entirely trust them with their personal payment card information. This improvement in customer relationships can often translate into a positive impact on profits.

With the support of CNS, one of Britain’s biggest retailers was able to successfully achieve their goal of full PCI compliance on time and under budget. 



Book your free consultation

If you would like to speak to one of experts about PCI or any other cyber security related services, please get in contact by filling out the form or calling us on 020 7592 8800

Please Contact me via

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere