Case Study - A Retail Chain Achieves PCI DSS 4.0 Compliance Across 340 Locations

INDUSTRY & CONTEXT

A European retail chain with 340 store locations, processing payment card transactions at approximately 2,800 POS terminals and employing a central IT team of 12 people for the entire estate

PCI DSS 4.0 became mandatory in March 2024; the organisation's QSA had identified Requirement 6.3 (patch management) and Requirement 11.3 (penetration testing evidence) as the two highest-risk non-compliance areas.

Where others focus on the obvious, we uncover what’s hidden behind closed doors.

The problem

Four issues put HIPAA-Equivalent Audit at risk:

• Patch documentation gap: the IT team could not produce OS-specific patch rate evidence for the POS terminal estate. Requirement 6.3 demands documented patch management with timelines, exception records, and remediation evidence. With 2,800 terminals across 340 locations, manual evidence compilation was not feasible.

• Patch success rate: 74% across the POS estate. The 26% gap represented 728 terminals with outstanding critical patches, some over 6 months old.

• Seasonal freeze complexity: the organisation had a 12-week trading peak during which no system changes were permitted. This created patch accumulation that then needed to be cleared in a compressed post-peak window without IT headcount increase.

• Remote location management: 340 locations with no on-site IT presence. Any endpoint incident required either remote resolution or expensive on-site dispatch.

The solution

NOHDE deployed Tanium AEM for POS endpoint management, with compliance evidence capabilities:

Full estate deployment across all 340 locations. Every POS terminal enrolled in Tanium management within 3 weeks using automated zero-touch deployment.

Patch backlog cleared: 728 outstanding critical patches deployed in a controlled rollout over 6 weeks, prioritised by CVSS score, with automatic rollback for any terminal experiencing post-patch instability.

Seasonal freeze management: Tanium tracked vulnerability accumulation during the 12-week peak trading period, continuously risk-scoring outstanding patches. When the post-peak window opened, a prioritised deployment schedule was automatically generated and executed with controlled rollout over 10 days.

PCI DSS evidence automation: Requirement 6.3 evidence, patch rate by OS type, outstanding CVEs with risk scores, remediation timelines, exception records, generated on demand for QSA presentation.

The outcome

PCI DSS 4.0 QSA assessment passed

No Requirement 6.3 findings

Patch success rate:

74% → 99%+ across 2,800 POS terminals within 90 days

Post-peak patch deployment:

92% of accumulated patches deployed in 10 days vs. previous 8-week manual process

QSA evidence package:

45 minutes (vs. estimated 3 weeks manual compilation)

Remote incident resolution:

94% of endpoint incidents resolved remotely, no on-site dispatch required

Why Tanium

The combination of scale (2,800 terminals, 340 locations) and the regulatory evidence requirement made Tanium the only viable option.

No other platform could query every terminal simultaneously, produce QSA-ready patch evidence automatically, and manage the seasonal freeze/deploy cycle without requiring a headcount increase. The 12-person IT team maintained the same staffing throughout the compliance remediation and NOHDE's managed service absorbed the operational load.

We Establish Security as a Verifiable and Enduring Foundation, not a Reactive Layer.

While many invest in what’s clear,
we dig deeper into the secrets behind closed doors.

We offer services from advanced threat detection to strong data protection,
keeping your business secure in a complex cyber landscape.