Practical PCI: Implementing Data Encryption for PCI DSS Compliance December 4, 2012 Tina Stewart | VP of Market Strategy More About This Author > In our last post entitled PCI DSS: The Basics, we provided a very high-level overview of the Payment Card Industry Data Security Standard. But knowing what the standard contains is a far cry from understanding how to implement solutions in such ways to create a compliant cardholder data environment. In this post, you will see a number of case studies that illustrate how Vormetric can be used to support PCI DSS compliance. Case Study – TAB Bank PCI DSS is unique in that it regulates data protection across a multitude of industries. Most think of it as a financial services regulation, but it goes quite a bit broader than that. TAB Bank uniquely demonstrates the cross-functional characteristics of the PCI DSS. TAB Bank was founded by Flying J to help support the trucking industry. You can easily imagine how complex their cardholder data challenges can be dealing with both the banking and transportation industries. TAB Bank had two primary hurdles to over come. The first, and likely most common concern, was that the introduction of any security solution, particularly encryption, might negatively impact system performance. Given that the PCI DSS requires company to render cardholder data unreadable regardless of where or how it is stored, the implications could be tremendous with respect to system availability. Secondly, the solution selected had to allow for management of a dispersed and heterogeneous environment from a centralized portal that would allow for enforcement of explicit policies. For example, TAB wanted to be able to control the way that its employees were accessing data. After careful consideration, TAB Bank chose Vormetric Data Security. According to Daryl Belfry, the Director of IT at TAB Bank, “Vormetric Data Security is quick and easy to administer while having negligible impact on performance; it’s the perfect solution for meeting PCI DSS requirements…Vormetric is crucial to the bank: It’s a solution that grows with us and allows us to securely maintain our data at all times” Case Study – Airline Reporting Corporation (ARC) The travel industry can be considered somewhat of a unique animal with respect to the hurdles its organizations must overcome in order to achieve compliance with the PCI DSS. Data is often stored in multiple locations with disparate systems and applications. What’s more, travelers are not forgiving of transactional delays, meaning system availability and performance are of critical importance. These were the issues facing Airlines Reporting Corporation® (ARC), the worldwide leader in transaction settlement for the travel industry. When looking for solutions to help the company achieve PCI DSS compliance, ARC’s Director of Security Operations, Jim Fallon was very much concerned about the amount of data that needed to be secured. “We needed an encryption and access control solution that could protect a large data store of files that contain sensitive information,” said Jim Fallon, security operations manager for ARC. “One of the tipping points for us was Vormetric’s management console. It makes creating encryption profiles — which contain unique guard points, security policies, and keys — a snap. Meanwhile, all that’s required to apply these profiles to individual users is a simple connection to Active Directory. It’s one of the easiest products to implement I’ve ever used.” For ARC, though, the questions of compliance went beyond just PCI DSS. ARC was also looking for a solution that would help them comply with the various state breach notification laws, as well. Vormetric Data Security enables ARC to encrypt sensitive unstructured data stored in files, control access to that information, and report on who is accessing the data. Vormetric Data Security is so transparent that ARC employees are unaware that files are encrypted unless they request access to data for which they lack authorization permissions. As with any enterprise solutions, there were questions about how difficult the implementation would be. ARC’s Fallon reported, “The Vormetric deployment took just a few weeks and was squeaky clean. That’s unusual for an enterprise security product.” Case Study – Financial Services Provider A leading Fortune 500 financial services corporation faced the challenge of achieving compliance with the PCI DSS over a heterogeneous network environment, while maintaining network performance and availability. The company had 19,000 employees and more than $4 billion in revenue from companies spanning industries as diverse as telecom and healthcare, retailers and city governments. To find a solution that would serve seemingly divergent technical and business objectives, the company created a stringent list of criteria. After extensive testing and evaluation, during which the company also tested native Linux and IBM AIX solutions, the company chose Vormetric Data Security. The Technical Project Manager commented, “We deliberately picked a very challenging scenario to test the application. We knew that if things worked well, deployment into a more standard environment would be easy.” Upon implementing Vormetric Data Security, the company was able to achieve compliance with the PCI DSS within its planned project timelines. Further, the current infrastructure includes a virtual desktop infrastructure with direct-attached SCSI drives. The company was able to leverage the Vormetric solution to protect this environment as well. “The combination of Vormetric Data Security and our VMware VDI environment provides us with great protection. There is multi-factor authentication to get to the virtual environment and then an arsenal of policies to guard the data inside of the VDI; all contributing to helping us exceed the rigorous PCI DSS audit requirements.” Case Study – Meta Bank Banks and financial institutions have a myriad of data protection regulations with which they have to comply, PCI DSS being just one of many. Add to that, customer expectations regarding performance and privacy, distributed environments, and a plethora of sensitive customer information beyond the realm of the PCI DSS. The sum total of requirements and expectations can seem overwhelming. When Meta Bank, a federally chartered savings bank and a recognized leader in the prepaid card industry, began evaluating data protection solutions to enable their compliance, it seemed a tall order to fill. Meta had criteria to meet that included ease of implementation, transparency, performance and centralized policy and key management. After extensive research and testing, Meta Bank chose Vormetric Data Security to protect their customers’ sensitive data. “Vormetric Data Security offered us an easier yet effective method to encrypt our SQL Server databases and comply with PCI DSS encryption and key management requirements,” said Troy Larson, MetaBank’s vice president, Information Systems. “As opposed to the complexity of implementing point encryption products, Vormetric Data Security provides us with a consistent and centrally managed security model across our infrastructure. The abilities to centralize key and policy management as well as implement a solution that evolves with our developing needs were critical factors in our decision to select Vormetric.” To learn more about Vormetric’s PCI DSS solutions and experience, visit our website. PCI DSS Summary The PCI DSS continues to evolve to meet the changing threat landscape facing payment data. The result is a constant stream of updated requirements, standards, best practices, and guidance documents. Companies cannot afford to change their security architecture for each new iteration. It is imperative to select a solution that is flexible and scalable and can help protect sensitive data, even as the overarching requirements shift. Complying with the PCI DSS can be difficult for any number of reasons, not the least of which include industry requirements that cover policies, technologies and physical security. Vormetric Data Security can help companies cost-effectively achieve and maintain compliance with PCI DSS requirements 3, 7, and 10. Ease of implementation is equally important, and the experiences of companies like TAB Bank, ARC, Green Dot, and Meta Bank demonstrate the ability of Vormetric to aid in compliance with rigorous regulatory programs while maintaining business agility and the performance expected by end users.