Protecting Cardholder Data with Vault-GENERAL™

Customer Profile: A European airline

Goal: To securely exchange passenger reservation information and achieve PCI compliance as a tier-1 merchant.

Solution: Vault-GENERAL™

Deployment: The deployment and integration of Vault-GENERAL appliances took less than 2 days. No time was spent changing existing applications in order to encrypt passenger information.

Benefits: Mitigation of PCI compliance objections; Data security; Low cost

The Challenge:

Today, we live in a world where electronic identities and personal information is bought and sold like any other commodity over the Internet. Most businesses are under siege due to unabated security assaults on their systems stemming from varied sources - both from the inside and from the outside of their networks. The law makers are feverishly working on new regulations while the credit card industry has promulgated a new security standard for their merchants. Non-compliant merchants could face fines, increased transaction fees and loss of card processing privileges.

Our customer, a European airline, receives passenger reservation information from different sources on a daily basis. These files contain passenger's credit card data along with other identifiable information. The airline was using homegrown SFTP servers to accomplish this task. Once the files were received they were moved to internal servers for further processing.

The airline had started the audit review process in order to pursue compliance with the PCI mandates. The data stored in the SFTP servers became an issue. The auditors pointed out that the credit card information was vulnerable, since the data was unencrypted during the interval between the receipt of files from various partners until they were moved on to internal servers behind the corporate firewall. Moreover, the setup did not allow the airline to generate tamper-resistant logs showing who accessed the cardholder data while the data was “at rest”. The airline was asked to resolve the situation within a stipulated time period or lose the ability to process credit card transactions.

The airline knew that their business partners would not want to make changes to their file delivery systems. The solution had to satisfy the auditors objections and at the same time it had to be transparent to both partners and internal users.

The Process:

Since the ticketing system had to be operational at all times the reliability of the chosen solution was paramount. A data breach of ticketing information would result in not just loss of sensitive information but also loss of credibility - something the airline could not afford. Time was running out quickly, so the airline retained the services of an outside business partner to help them to find the right solution. During the selection process, it became apparent that Vault-GENERAL could protect the passenger reservation files and also satisfy all of the auditor's objections. Vault-GENERAL was placed in the DMZ. It allowed the partners to continue sharing information using the SFTP protocol while the corporate users were able to access information using the SMB protocol from behind the firewall.

The Final Outcome:

Several Vault-GENERAL appliances were used to replace homegrown SFTP servers in order to eliminate various attack vectors. Since Vault-GENERAL encrypts data at rest and also employs RBAC to control access to cardholder data files, the airline was able to raise its security posture without altering the existing business practices. The authorized corporate users were able to access files as if nothing had changed. No client software was installed. Moreover, every file transfer/access was logged and cryptographically signed. The airline was able to satisfy all the  objections raised by their auditors and achieved PCI compliance before the impending deadline.

The Solution Highlights:

The Vault-GENERAL appliance does not allow even a privileged user to view/alter data stored in the protected files. Hence the airline was able to reduce the circle of trust only to the Vault-GENERAL administrators.

The airline used Vault-GENERAL’s FIPS-140 Level 2/3 compliant smart cards to securely distribute and store the encryption keys.

The airline used role-based access control mechanisms to restrict access to sensitive files.

Each access to cardholder data was logged. The log files were stored in an encrypted vault. Even the Vault-GENERAL administrators are not allowed to view/modify these log files. This provided the airline with the necessary evidentiary material that was requested by the auditors.

Summary:

The airline was not only looking to go through the compliance audit, but also wanted to secure its passenger information in a meaningful way. Even though PCI compliance was the trigger to replace the homegrown SFTP servers, in the end the airline had significantly increased its overall security posture. Vault-GENERAL was able to meet or exceed the business and the technical requirements. The airline was able to become compliant in a short amount time.

About Packet General:

Packet General is a data security company focusing on regulatory compliance. The Packet General product portfolio includes PCI-GENERAL™, an encrypted MySQL appliance, File-GENERAL™, a secure and encrypted a file repository and Vault-GENERAL, a secure file transfer appliance. Packet General is based in New York, USA. For more information about Packet General, please visit www.packetgeneral.com or call +01 650 485 1415.