Customer Profile: A global Internet services and media company with over 5 billion page views every month. The customer is considered to be one of the three largest web properties in the United States of America.
Goal: To achieve PCI compliance as Level-1 service provider.
Deployment: The deployment of PCI-GENERAL™ appliances in three geographically dispersed data centers took less than 60 days. Not a single line of application code was rewritten in order to encrypt cardholders data and achieve compliance.
Benefits: Mitigation of non-compliant status; Data security; Elimination of monthly fines due to non-compliance.
The level-1 service provider had failed the PCI compliance audit. Inadequate protection for the transactional data stored in the MySQL databases was cited as the reason. In accordance with the remediation provision, the service provider was given 9 months to fix the problem. The auditor's objections covered a wide range of issues - no controlled access to cardholders' data, no proper key management, no automated password rotation and no secure logs. This was despite the fact that the service provider was already encrypting cardholder data using their own application.
Replacing MySQL with another database with better built-in security provisions would have been cost prohibitive. The product acquisition cost was only the part of the problem, the bigger expense was associated with the application rewrite which would have been necessary due to the switch. An internal debate ensued that kept the service provider from implementing a solution in a timely manner. The service provider was forced to pay fines to each credit card brand. Loss of preferential rates and fines together ended up costing well over $150,000 per month.
In order to deal with the issue, the service provider had created a task force that included professionals from their IT risk management group, the business unit that controlled the MySQL installations along with the project management professionals to make sure that a solution is found in a timely manner. The task force went to work with zeal only to be disappointed; no solution in the market was able to meet the task force's requirements. The task force turned to Sun Microsystems who recommended Packet General.
Preconceived notions about encryption overhead
The operational team was worried about the encryption overhead and was adamant not to impact their customer’s experience. The service provider was not only had a large data set but the web traffic also fluctuated widely within a 24-hour period. Fortunately, PCI-GENERAL™ has been designed to handle high transactional volume. The flexible design of PCI-GENERAL™ enabled the service provider to encrypt the MySQL databases selectively. In the end, encrypting data had no operational impact on performance. The team was happy with the results.
Deployment and migration:
The service provider maintains several data centers in geographical dispersed locations. There was a concern that deployment and migration of data to PCI-GENERAL™ appliances would be a challenge. Also, since the service provider took pride in their service delivery record, there was more pressure to make sure that deployment and migration would take place without disruption in their service. Migration to PCI-GENERAL™ machines turned out to be uneventful.
The Final Outcome:
Compliance with the Payment Card Industry Data Security Standard is not an one-off act but it's a persistent state of data security. This is where the service provider’s IT Risk-Management group took the lead. With Packet General's help, the team formulated new security policies based on PCI-GENERAL™ features in order to satisfy various PCI-DSS requirements.
The entire process, from the evaluation to the last PCI-GENERAL™ machine becoming operational, took under sixty days. With PCI-GENERAL™, no application changes were needed in order to secure cardholders data stored in MySQL servers. The service provider was able to achieve PCI compliance which resulted in savings of over $150,000 per month.
About Packet General:
Packet General is a data security company focusing on PCI compliance. Packet General product portfolio includes PCI-GENERAL™, an encrypted MySQL appliance, File-GENERAL™, a secure and encrypted a file repository and Vault-GENERAL™, a secure file transfer appliance. Packet General is based in New York, USA. For more information about Packet General, please visit www.packetgeneral.com or call +01 631 546 5047