The Challenge
Securing Data and Achieving PCI Compliance
The data of this credit reporting agency, which gathers and maintains information on over 400 million credit holders worldwide, is highly regulated by state and federal regulations like the Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transactions Act (FACTA) and the Gramm-Leach-Biley Act, which requires financial institutions to safeguard sensitive data. It also must comply with the data security requirements of organizations with which it does business.
To support a new initiative with Visa, the agency needed to secure sensitive credit card data in order to be compliant in a Payment Card Industry (PCI) environment. Key challenges included:
- Protecting personally identifiable information (PII) for over 400 million consumers and roughly 180 billion credit card numbers.
- Bringing environments “out of scope” to satisfy PCI compliance while meeting performance and security requirements.
- Addressing cost-prohibitive infrastructure challenges that rendered the existing environment non-compliant with PCI standards.
- Implementing a tokenization solution capable of securely generating 300 million tokens per minute, which their internally developed solution failed to achieve.
With noncompliance penalties posing a significant business risk, the agency needed a robust solution to meet both current regulatory requirements and future performance demands.
The Solution
Protegrity Privacy Protect
The agency chose the Protegrity Privacy Protect solution with its patented vaultless tokenization technology because they determined that was the best way to protect sensitive credit card data and would allow the agency to take infrastructure out of the scope of PCI compliance.
Rather than encrypting data, tokenization replaces credit card numbers with random data of the same type and length. Because there is no mathematical relationship to the original numbers, tokenized data is considered replaced or removed, and therefore secure. Tokenized data is exempt from the scope of PCI compliance.
Initially, the credit agency attempted to build a tokenization infrastructure in-house, but it soon became clear that it would not satisfy performance requirements. The agency looked at products from several vendors, but only Protegrity could meet their requirements to securely generate about 300 million tokens per minute.
The Protegrity Privacy Protect solution, with its rapid tokenization, included an Application Protector and Enterprise Security Administrator for centralized oversight and administration of secure data across the entire enterprise.
The Outcome
Achieving PCI Compliance and Enabling Secure Analytics
Utilizing Protegrity’s enterprise-ready vaultless tokenization solution, the credit agency was able to satisfy PCI compliance for the Visa project and dramatically reduced the complexity and performance impact of protecting sensitive data. It also enabled them to support future analytics projects involving sensitive data using Apache Hadoop, a framework for using a network of computers to store and process data.
Business Value:
- Secure Data Protection: Privacy Protect enabled the agency to securely protect customer credit card data, ensuring compliance and operational security.
- Driving Business Growth: According to the VP of Technology, the agency could not have expanded our business without Protegrity because the penalties for non-compliance to regulate
- Streamlined Compliance: Protegrity’s tokenization met the agency’s performance goals and reduced their infrastructure from a PCI compliance perspective because tokenized data is exempt from PCI compliance..
Technical Value:
- Efficient Tokenization Architecture: The unique architecture of Protegrity’s vaultless tokenization technology provides all of the benefits of tokenization without the drawbacks and limitations of traditional tokenization; no ever-growing token lookup tables and no replication (which can negatively affect performance) and most importantly, no stored sensitive data
- Preserved Data Structure: Tokenized data retained its original type and structure, allowing teams to create tables and views without limitations, based on the needs of the users.
- Centralized Oversight: Protegrity’s centralized policy, key management, auditing, and reporting empowered security officers to monitor and manage sensitive data across the enterprise.
- Built-In Separation of Duties: Privileged users, such as system administrators, cannot view sensitive data in the clear but are still able to perform their job functions.
The Protegrity Advantage: Simplifying Compliance and Scaling Security
Before Protegrity Implementation
- Sensitive data within PCI scope increased compliance complexity and operational costs.
- Internally developed tokenization solutions failed to meet the required performance standard of 300 million tokens per minute.
- Manual processes for managing sensitive data hindered scalability and delayed analytics projects.
With Protegrity
- Vaultless Tokenization: Protegrity’s Privacy Protect solution removed sensitive data from PCI scope, significantly reducing compliance risks and associated costs.
- Performance at Scale: The high-performance architecture securely generated 300 million tokens per minute, meeting the agency’s demanding operational requirements.
- Preserved Data Structure: Tokenized data retained its original type and format, enabling seamless analytics and reporting without compromising security.
- Centralized Oversight: The Enterprise Security Administrator provided centralized policy enforcement, auditing, and key management, ensuring secure and efficient monitoring of sensitive data.
It has been a huge success, and we have satisfied all the security, regulatory, and contractual requirements we have.