How does ServiceNow support PCI DSS compliance for financial institution

bigfissy
Kilo Sage
Kilo Sage

With banks required to meet PCI DSS compliance requirements and keep card transactions details in a local location, how is ServiceNow able to support this? BMC Discovery support both local database storage of specific information and cloud but SN mostly uses cloud.

 

With the new CSDM framework, does anyone know how ServiceNow supports financial institution as regards "PCI DSS compliance requirements" if required to store card details in a local database or data center?

 

3 REPLIES 3

James Chun
Kilo Patron

Hi @bigfissy,

 

I don't have the answers to your questions but it seems like they should be directed to ServiceNow.

If you haven't already, I would recommend raising a Support case or getting in touch with your ServiceNow account executive.

There is a portal called ServiceNow CORE where you can find documents relating to regulations - https://noderegister.service-now.com/kb?id=kb_article_view&sysparm_article=KB0564067

Might be worth a visit as well.

 

Cheers

Geoff Lamb
Tera Contributor

Are you asking how you track PCI across business applications in the CSDM, or in SN itself?

 

The 'proper' place in the CSDM is in the Information Object aligned to the Business Application. But that does not quite work for us. We need to know at the Application Service instance - as that is where we track 'in country compliance' and also for non-prods that might have a short term risk exemption to hold PCI for testing. We then have a couple of custom fields at the Business Application level that auto populate based on App Services. 

dick linschoten
Giga Guru

interesting to know if there is somewhere in the ServiceNow jungle a standard way to adress and track this. 
What we have done in the passed in our previous cmdb and copied in to the servicenow cmdb is add a list field on the ci table to adress all compliance domains that can be valid for a configuration Item like pci_cat1. isae3201 etc. 
it doesn't suffice how compliant you are against the regulation but just to identify what items are in scope and should be tracked.