Industry: Manufacturing & Distribution
Service: Professional Services
Location: EMEA
Organization Type: Private
Employees: 5,001-10,000
Needs And Requirements:
The client required a comprehensive PCI DSS gap analysis to assess the current state of its payment data security controls against the latest version of the PCI DSS standard. With expanding digital infrastructure and an increasing volume of transactions processed through ticketing systems and third-party service integrations, the organization needed to identify control deficiencies and develop a prioritized roadmap for full compliance. Additionally, there was a broader mandate to enhance governance and risk visibility across IT and operational environments, aligning security efforts with both regulatory obligations and internal risk management frameworks.
Main Challenges:
Legacy Systems and Infrastructure Constraints: Existing OT and IT systems were not originally designed with PCI DSS compliance in mind, creating technical and procedural gaps in network segmentation, access controls, and data retention.
Decentralized Payment Environments: Payment processes were fragmented across multiple business units and third-party vendors, making it difficult to apply consistent PCI DSS controls.
Limited Internal Compliance Expertise: The organization lacked in-house specialists with deep familiarity in interpreting and implementing PCI DSS, leading to uncertainty around scope, applicability, and control maturity.
Solution:
Governance, Risk & Compliance (GRC): To address the client’s compliance and risk visibility needs, Hitachi Cyber conducted a targeted PCI DSS Level 2 merchant assessment and accompanying gap analysis focused on the client’s digital ticketing ecosystem. All assessment activities were performed remotely, including structured interviews with key stakeholders from both the client’s headquarters and external e-commerce and platform development partners.
The assessment concentrated on the client’s eCommerce website and partner API, with a particular focus on the 360 Pass system, developed by a third-party vendor. As part of the solution, Hitachi Cyber conducted an in-depth review of tokenization practices—including token storage, associations, and related workflows—to confirm that no sensitive account data was being stored, processed, or transmitted within the client’s environment. Card-present and MOTO (Mail Order/Telephone Order) channels were confirmed as not applicable to the scope.
In parallel, Hitachi Cyber performed an independent review of the application developed by Global Logic to validate security posture and PCI DSS alignment. A control matrix based on PCI DSS v4.0 was completed to map current controls against standard requirements. This was followed by the creation of a detailed draft Gap Assessment Report, highlighting areas of non-compliance and offering tailored remediation recommendations. The engagement concluded with the delivery and presentation of a final PCI DSS Gap Assessment Report specific to the 360 Pass system, providing the client with a clear and actionable path forward to close any compliance gaps. Production implementation validation was excluded from the scope of this engagement.
Outcomes:
The engagement provided the client with a clear understanding of its PCI DSS compliance posture, particularly in relation to the 360 Pass system and associated eCommerce infrastructure. Through the independent analysis conducted by Hitachi Cyber, the client gained validation that no account data was being stored, processed, or transmitted within its systems—substantially reducing its compliance scope. The detailed Gap Assessment Report delivered actionable remediation guidance, enabling the organization to prioritize security improvements and move confidently toward full PCI DSS compliance. Additionally, the structured approach reinforced internal awareness of regulatory expectations and strengthened collaboration between the client and its third-party development partners.
Next Steps:
The client will initiate remediation planning based on the findings outlined in the final report, addressing any control gaps identified during the assessment. Key areas of focus will include documentation updates, refining API security practices, and enhancing governance around tokenization workflows. A follow-up readiness review will be scheduled to validate closure of critical gaps prior to any formal PCI DSS certification activity. Additionally, the organization plans to integrate periodic compliance monitoring and include PCI DSS controls within its broader GRC and vendor risk management processes to ensure ongoing alignment and accountability.
