Protecting cardholder data stored in flat files with File-GENERAL™

Customer Profile: The largest electronic payment gateway in the United States that operates in 190 markets around the world and manages over 78 million active accounts.

Goal: To achieve PCI compliance as a Level-1 service provider.

Solution: File-GENERAL™

Deployment: The deployment and migration of data to File-GENERAL™ appliances located in two geographically dispersed data centers took less than 5 days. No time was spent changing the existing application in order to encrypt cardholders data.

Benefits: PCI compliance; Data security; Comprehensive visibility into file data usage; Low cost

The Challenge
The business requirements of the customer necessitated that the cardholders data be taken out of a secure database for manual processing of payments that had failed to go through the automated process. This data was being stored on Microsoft servers in an unencrypted format. This vulnerability triggered the customer’s compliance staff to raise a red flag. The security team was tasked to find an appropriate solution that would mitigate this issue. The application team was reluctant to make any changes to their application to accommodate additional security and compliance requirements. The technical management team responsible for the corporate strategy was against deploying yet another homegrown solution to satisfy this need. The challenge was to find a solution that would secure data and enable compliance and also can become a corporate standard.

The Process
Being the largest electronic payment gateway with hundreds of millions of dollars flowing through its network, the customer could ill-afford to deploy a solution that was not reliable - both from technical as well as operational points of view. Therefore, the customer had to be extra vigilant when it came to the vendor selection process. The vendor not only had to fulfill the technical and business requirements but also had to be trustworthy. It took over nine months for various selection committees to go through their comprehensive due diligence process in which other contenders were eliminated one by one and Packet General emerged as the eventual winner.

The Final Outcome
File-GENERAL™ replaced the existing Microsoft servers that were open to numerous attack vectors. Deployment of File-GENERAL™ appliances was completely transparent to the application as well as to the users of the application. The delivery team took the lead and coordinated deployment with their operational and support teams located at various remote sites. Appropriate corporate approvals were secured in advance to allow various individuals to play administrative roles since the appliance uses role-based management. FIPS-140 compliant  smart cards, that hold the cryptographic keys, were securely distributed to the responsible parties during the installation process.

Minimal User Impact:
The transfer of data from an unencrypted state to an encrypted state was completed without a hitch. The application that needed access to the cardholder data, remained unchanged. The users of the application didn't even realize that they have been switched to a setup which transparently encrypts data and controls access. The overall application performance was not adversely impacted by File-GENERAL™ “On-demand” and transparent encryption.

PCI Compliance:
The customer had brought in their own PCI compliance experts to review the File-GENERAL™ setup before its deployment to make sure that it's going to satisfy all of their auditor’s objections.  Packet General was asked to supply additional technical information in order to satisfy various requests from the compliance team. After a through review File-GENERAL™ was given a green light.

Summary:
The largest electronic payment gateway wasn't looking for a tactical solution that was going to protect cardholders data but for a solution that would become a corporate standard for flat file data security and compliance needs. Hence a significant amount of time was spent looking at not only commercially available solutions but also at the homegrown solutions developed by the different business units to fulfill their own requirements. At the end the customer decided to go with File-GENERAL™ which was able to meet or exceed the business and the technical requirements.

About Packet General:
Packet General is a data security company focusing on PCI compliance. Packet General product portfolio includes PCI-GENERAL™, an encrypted MySQL appliance, File-GENERAL™, a secure and encrypted a file repository and Vault-GENERAL™, a secure file transfer appliance. Packet General is based in New York, USA. For more information about Packet General, please visit www.packetgeneral.com or call +01 631 546 5047.