PCI Security and Compliance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2025 01:17 PM
Hi all,
As a government agency, by law, we have a requirement to ensure that our data is secure for PCI Compliance.
PCI refers to Payment Card Industry security standards and compliance framework to protect cardholder data and reduce fraud.
If we do not design the system properly, we can get audited and face serious penalties.
Other use case examples: Network ID creation, and Domain access authenticating using Active Directory is to ensure:
- Restrict access to data by business need to know.
- Identify and authenticate access to system components.
Today, we are using the Service Catalog to request Domain and Network IDs. The current build is not secure. I checked and there are multiple areas of security leaks when user makes request via the Service Catalog.
This is one of the issues with ACLs. If our team misses certain entry points, then unauthorized users gets access to confidential info thru a backdoor.
What are some best methods to secure our PCI credit card info in ServiceNow? How are other people enforcing security? Are you using Service Catalog with ACLs?
We know about scoped applications, and this is currently being explored. Our organization is not at a point to purchase GRC or SecOps to secure vulnerabilities and security incident records (for VR/SIR).
Kindly advise,
Kathy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2025 05:48 PM - edited 04-17-2025 05:53 PM
You need to contact your Servicenow Account Manager to address your security concerns. You make some seemingly wild claims about "security leaks" and "backdoor". Have those reviewed by Servicenow, they support various industry certification requirements.
some useful links if you google "servicenow pci compliance".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-21-2025 10:41 AM - edited 04-21-2025 10:47 AM
Bert, CLUE------ > Anyone in touch with reality, knows the Catalog is not designed as solution Cybersecurity. Which is why ServiceNow built the Secops scoped app. The only wild claim is your response. Anyway, this post was not made without first holding multiple meetings speaking at length with ServiceNow and their technical SMEs. ServiceNow has provided us with more than enough documentation to advise us of the pros/cons of the Service Catalog for securing data. CLUE #2, Our Account Manager has been at our meetings on this same topic, echoing ServiceNow's intent for the Service Catalog vs Scoped applications.
