Fortune 1000 Company Uniforms Itself with DataPower for PCI Compliance
Description
Business Needs
- Avoid fines and denial of services
- Secure data access
- Competitive edge
Hardware
CLIENT BACKGROUND
This publicly held Nasdaq-100 company traded over the Global Select Market that designs, manufactures and implements corporate identity uniform programs. Additionally, they provide cleaning and supplies, promotional products, first aid and safety products, fire protection services and document management services for approximately 800,000 businesses. They operate more than 400 facilities in the U.S. and Canada, and employ over 34,000 people.
BUSINESS PROBLEM
All companies processing, storing, or transmitting payment card data must be Payment Card Industry (PCI) compliant or risk losing their ability to process credit card payments and being audited and/or fined. Payment Card Industry (PCI) compliance helps organizations that process card payments prevent security threats, vulnerabilities, fraud, etc.
The company was given a strict June 1st, 2008, deadline by their external merchant bank to meet with PCI Compliance regulations before they would be liable for hefty fines and/or the denial of service. Vital to servicing their clients and meeting regulations, they needed access to company data and to maintain a repository of credit card information while keeping vault-like security to ensure privacy for their 1.5M transactions per year.
SOLUTION
On a very serious deadline, and with nearly nine months of planning, the client created an internal steering committee comprising of representation from its financial and IT divisions to create a solid gap assessment. Without a “magic bullet” - they decided very carefully where to invest and what made the most sense from a business standpoint to not just comply, but to exceed standards while also gaining a competitive edge. With their significant 1.5M transactions a year, it was important to create a cost effective solution without increasing risk.
From those planning sessions and after due diligence, a three point solution was devised which would solidify their PCI Compliance Project. The first “point” would be to offload all credit card information by utilizing a 3rd party payment solution - 3Delta Systems (3DSI) who specializes pro-actively managing, authorizing and settling transactions in real time.
The second “point” was a clever solution whereby the credit card data would be converted into a “token” (reference pointer) which without the correct credentials and processing algorithms - would be rendered useless. Internally, there is also a complex technical infrastructure and physical controls making an “inside job” impossible for exploiting the information.
And finally, Prolifics and its client brought DataPower into the solution as the “Black Box” which would be responsible for containing security risks. Using the IBM WebSphere DataPower appliance, Prolifics helped them create their “PCI Hub solution” which interfaces between internal systems and the 3DSI payment solutions. DataPower securely routed and transformed information from AS400 and .NET Web applications using Web services into the proprietary 3DSI-required format. The company gained everything required in one box and preliminary volume testing against 45,000 credit card transactions completed in 8 minutes.
This solution puts them ahead of the curve in approach and design because the walls around their infrastructure have been increased, while removing security issues by offloading data to their 3rd party vendor (3Delta Systems). With 0% of credit card data in-house but maintaining their core back-end businesses processes, the client created a unique solution that required less controls within their infrastructure but essentially front-ended their processes.
This elegant and sophisticated PCI Compliant Project illustrates the power of SOA and reusable assets. The client is now poised for the future when further regulations require similar security for Social Security numbers and other personal data providing their customers with a large safety net. Additionally, they are able to leverage the solution as a competitive advantage by offering piece of mind to their clients in the financial, medical and government sectors whose data requires the utmost discretion. Furthermore, they are able to take their solution and integrate it with different vendors effortlessly in order to scale to higher volumes.
The company now has full confidence in their required self assessment questionnaire and audit which indicates full PCI compliance before the June 2008 deadline.
“The core capabilities of IBM’s 'Black Box' (DataPower) solution teamed with Prolifics’ agile services far outweighed the competition. Prolifics experts coded a solution to our toughest requirement in an afternoon before the project even started…taking us from 0 to 60 overnight.”