Case Study: Cashbuild’s Four-year PCI DSS Journey Success Thanks to its Partnership with Galix

The breach or theft of cardholder’s details can affect an entire payment card ecosystem. Customers suddenly lose trust in merchants or financial institutions and similarly these merchants and financial institutions are subject to numerous financial liabilities and lost credibility. This makes a solid case for the Payment Card Industry Data Security Standard (PCI DSS) compliance which plays a critical role in the long-term success of all merchants that process card payments.

Cashbuild, a leading retailer of building materials and associated products, partnered with Galix, an IT security standards specialist and qualified PCI-DSS Qualified Security Assessor, to assist with their PCI-DSS compliance journey. The retailer decided four years ago to partner with Galix to meet its PCI DSS compliance obligations, a challenging process that presented numerous obstacles but with teamwork and commitment, the companies’ crossed the finish line.

Challenge and reward

Cashbuild employs almost 5 000 people and as a retailer, sells directly to cash-paying customers through its over 300 (and growing) stores in South Africa and the Southern African Development Community (SADC) region, making it imperative to be PCI-DSS compliant.

“We often find that PCI DSS compliance is grudge purchase, however, this was certainly not the case with Cashbuild; they wanted to do it properly and not just tick boxes.  It made sense to them not only from a security and compliance perspective but also differentiated their business,” explains Simeon Tassev, MD of Galix.

Says David Johnstone, senior manager, financial services at Cashbuild: “As a listed company, we had to get our PCI DSS journey underway as a matter of urgency.  Our corporate bankers were also putting pressure on us to become compliant.

With over 300 stores in South Africa and the SADC region and 4500 staff members to train, we knew it would be a long and intensive process.  Furthermore, we also had physical security gaps which were expensive to resolve such as implementing cameras that met requirements in all our stores.”

“However, Tassev and his team worked tirelessly throughout the project and were extremely patient and supportive. They remained committed to us over the past four years and helped us overcome all the difficulties presented along the way,” he adds.

Hard work pays

Cashbuild, like many of its peers, had to deal with a number of legacy issues.  Some of its stores featured dated technology infrastructure which meant it had to upgraded to include strong security measures such as end-to-end encryption.

However, now Cashbuild features sophisticated security in all its stores, safeguarding its customers’ valuable data throughout the entire payment lifecycle.

“As we continue to expand, we have ensured that our payment system remains compliant, and the requisite policies and control are in place.  This in turn guarantees that Cashbuild upholds a high standard of compliance and a truly professional service to our customers,” adds Johnstone.

Galix and Cashbuild now have a month-to-month agreement in place to ensure the retailer stays one step ahead of its compliance obligations. “Our monthly agreement ensures that when Cashbuild now goes through its yearly audit it readily meets the necessary requirements.  PCI DSS has become part of its daily routine,” explains Tassev.

“Tassev and his team are the specialists. Without them holding our hands and continuing to support us would have been a fiasco. At Cashbuild, PCI DSS is implemented at the highest level as our financial director is responsible for its compliance and ensures that we continuously maintain the standard’s requirements. It’s an ongoing process which we believe strengthens our business operations and our service to valuable customers throughout South Africa and the SADC region,” concludes Johnstone.