PCI and GDPR Data Protection Requirements Met With Zero Downtime on Payments Processing Network

[vc_row][vc_column][vc_empty_space][vc_column_text]

Company profile

Bankart is a card payments processing center headquartered in Slovenia that serves 23 banks and other institutions across six countries in four different currencies. With our Central Authorization System (CAS), Bankart processes over 43 million ATM, POS, internet, and mobile transactions every month on ACI’s BASE24© Classic. We also control and manage ATM and POS networks for most of our banks.

In addition to our payments processing and network management services, our CAS also handles card validation, PIN verification, and in case a bank is experiencing technical issues and is unable to process an authorization, we will conduct off-line authorizations for them. This final service requires the storage, use, and management of sensitive cardholder data, which has to be protected.

Bankart’s payments processing network configuration

Since Bankart’s Central Authorization System must be up and running 24/7, it is hosted on HPE NonStop servers in a dual site configuration working in active-active mode. Between those two servers, data is replicated with Oracle GoldenGate©. Furthermore, some data is being replicated to back office systems running on Windows servers. Both authorization servers are connected to our POS network, ATM network, and web interfaces for online transactions, all of which are routed to the banks we serve, other processing centers, and interchanges. To manage all of this, we have to maintain various databases, files, and logs with card holder data.

The challenge

Throughout this network, there are several files and databases that contain cardholder data which needs to be protected from both external threats and accidental exposure to unauthorized insiders.

Bankart already employed Volume Level Encryption to protect cardholder data, however VLE is only useful when physical hard drives leave our premises. If a malicious actor infiltrates the system undetected, then the data is still left in the clear and vulnerable. An additional level of protection was required to secure the data in the event of a breach.

Our requirements

Given our complex network configuration and the high level of service our customers expect, we had very high standards for the solution that would protect the cardholder data we manage:

1. High Availability – able to integrate on a live system with zero down-time and available 24/7
2. Highly Configurable – compatible with a diverse system on a file and record level
3. Ease of integration – little or no changes to applications or source code
4. Scalability – should be possible to extend the solution to other systems within the company
5. PCI and GDPR compliance – cardholder data must be rendered unreadable wherever it is stored

The comforte advantage

Bankart chose SecurDPS from comforte because it fulfilled all of the above requirements and more. It was easy to implement in our complex IT environment without changes to source code or down time, it properly secured cardholder data in accordance with PCI and GDPR requirements, and it is a scalable, enterprisewide solution that can later be expanded to other systems in the company. Additionally, SecurDPS enabled us to be more cost effective by omitting volume level encryption.

How tokenization works

To protect cardholder data, we utilized tokenization. The main difference between tokenization and classical encryption is that tokenization replaces sensitive data elements with non-sensitive data elements of no exploitable value while preserving the format of the data. The advantage is that tokenized data can be transferred between systems that may be sensitive to data format without any changes to existing applications. This ensures that there are no security gaps in the system and makes it possible to implement the solution quickly and without interrupting services.

Tokenization in practice: log files

One of our objectives was to tokenize logs that are recorded at various intervals throughout the day and on a daily basis. Some of the logs are key sequenced while others are entry sequenced with cardholder data in different places.

We tokenized the log files using a configuration that would apply to logs created after a given date and time. This allowed us to secure the data in phases by setting different logs or bundles of logs to be tokenized at different times. We started by tokenizing one log file of a certain type and after determining that everything went as expected, we then tokenized all logs of the same type. The same process was applied until all of the log files were protected.

This entire process was carried out while the system was live without any of Bankart’s partners or customers noticing any difference in service levels.

Tokenization in practice: databases

Another major hurdle was to tokenize our databases. As all of our databases are constantly in use, there is no point during the day or night where any of the databases are not being used, so they also had to be protected without interruption. For this, we configured the program to start protecting records on each database after a given date and time.

The system continued to work seamlessly even though there were mixed records in the database because it was able to distinguish between tokens and data in the clear while the record format remained the same. For performance purposes and because we wanted the whole database tokenized, we later ran a conversion program on our databases to tokenize all records.

The results

The entire project was carried out within six months by just two members of Bankart’s IT development team who were simultaneously working on other projects. We took a phased approach to tokenizing the files and databases which allowed us to closely monitor system performance throughout the process. All cardholder data on our Central Authorization System is now secured and there were no signs of any performance degradation during implementation or afterwards! Thanks to SecurDPS’s scalability, plans are being made to extend the solution to other systems across the organization.

[/vc_column_text][vc_empty_space][/vc_column][/vc_row]