Why Protegrity Prime Our unique data security technologies are built for today's data-driven businesses. Learn More
Data Discovery Uncover where sensitive data resides
Data Management Control every corner of the enterprise
Data Protectors Protection beyond platforms
Professional Services Security experts for every need
Security Gateways Data security that goes with the data
Vaultless Tokenization Go beyond encryption
Contact Us

Retail Case Study

PCI DSS Compliance

Company Overview

A large oil company with over 200 gas station locations, all of which handle credit card data for transactions, and a legacy backend mainframe system for data processing.


Business Problem

Achieve compliance with the PCI DSS regulations for high-volume gas station transaction data.

High transaction volumes and a very short window to handle payment settlement meant the system had to have very high throughput and scalable performance. Due to the legacy mainframe environment, the implementation also required little to no modification of systems.

And last, the company required a means for customer support to securely enter payment data manually.

Requirements and Challenges

Comply with all applicable PCI DSS regulations (Level 1)
Implement a data security solution with little to no modifications of systems
Eliminate mainframe from scope of PCI DSS annual audit via tokenization

Allow customer support to enter CHD as usual
High transaction volumes and very short window for payment settlement required high throughput and scalable performance
Provide knowledge and responsiveness to any concerns or issues
code-image (1)

Protegrity Solution

Protegrity implemented a Vaultless Tokenization appliance in a staging environment outside the backend systems.

The transaction information from the gas stations is sent securely to the Protegrity appliance and placed in an encrypted file. The secure file is parsed and Credit Card Number (CCN) data is tokenized prior to entering legacy business systems. After processing, the protected CCN data is de-tokenized by the appliance and transmitted to payment processors for settlement.

Tokens were designed to bleed through the first 6 digits of the CCN, to make them compatible with legacy systems and prevent the need for modifications.

Results & Benefits

Achieved PCI DSS compliance through tokenization of CCN data and end-to-end SFTP communication
No need to modify legacy systems to secure data due to external appliance and bleed-through of business intelligence
Customer support retained ability to handle CCN information through web interface with Vaultless Tokenization appliance
Tokens designed to exclude first 6 digits of CCN, for compatibility with legacy systems and to prevent need for modifications
Continuous, granular monitoring on sensitive data
Removed mainframe from PCI DSS audit scope
Extremely high performance and throughput of secured data