Internal Audit of Retail Group Reveals Failure to Certify Network Controls Amid PCI‑DSS Pressure
The Challenge
Summit Retail, a Canadian retail group, was preparing for its annual internal audit when auditors identified that network controls had not been certified according to PCI-DSS requirements. Several stores were using legacy payment systems without proper documentation of security measures. This oversight posed risks of:
non-compliance with payment card regulations.
potential fines
reputational damage.
The board and executive team required immediate remediation to align with regulatory standards and maintain customer trust.
Our Solution
Our Audit and Attestation team partnered with Summit Retail to:
Conduct a full assessment of all network and payment system controls.
Identify gaps in documentation, certifications, and operational compliance.
Develop and implement corrective measures to meet PCI-DSS requirements.
Provide management with detailed attestation reports for regulatory submission.
Train internal audit and IT teams on ongoing compliance monitoring practices.
The Value
Ensured compliance with PCI-DSS, mitigating risk of regulatory penalties.
Reduced operational risk of payment system breaches by 40%.
Strengthened internal audit processes for continuous oversight.
Provided assurance to board and stakeholders on control effectiveness and regulatory alignment.
Implementation Roadmap
Network Control Assessment: Evaluate all payment systems for compliance.
Gap Analysis: Document deficiencies in controls and certification.
Remediation Planning: Implement security upgrades and operational controls.
Attestation Reporting: Prepare and submit documentation for regulatory compliance.
Staff Training: Educate audit and IT teams on compliance monitoring.
Continuous Oversight: Establish periodic audits to ensure ongoing adherence.
Info Sheet
Necessary Action Type and Steps: Internal audit, control certification, gap remediation, attestation reporting, staff training.
Sector: Retail Trade
Applicable Legislation: PCI-DSS, PIPEDA, Canadian cybersecurity laws.
Third Parties: Payment system vendors, auditors, compliance consultants.
