Background: The subject of the case study is the operator of a chain of combination gas stations and convenience stores in the United States. This regional retailer has more than 1,500 stores throughout the United States.
Challenges: Simplifying PCI compliance was the key goal of a large regional retailer, and the Security Project Manager determined that scope reduction was the path for achievement. Since tokenization is widely recognized as a data security method that reduces PCI scope, the retailer decided to deploy a tokenization solution to solve the problem. The retailer had 18 concurrent projects for PCI compliance, so it was imperative that the tokenization solution ease that workload with rapid, painless deployment. The retailer also required tokenization to be very high performance, as its service level agreement for transaction completion was less than one second, and it was dealing with over 50 million credit card numbers in its system.
Solution provided by Protegrity: The retailer deployed Protegrity Tokenization as a centralized solution, which uses a dedicated tokenization server on commodity hardware. The token server was deployed outside of the data warehouse to facilitate segmentation. With tokenization, data for a card transaction now follows this path: (a) card data is encrypted at the point of sale; (b) data is transmitted to a centralized host for decryption; (c) data is tokenized on the token server; (d) data enters the data warehouse.The initial tokenization process was expected to take about 30 days for 50 million card numbers. The Protegrity Tokenization process actually required about 90 minutes. Deployment of the solution was non-intrusive as it did not require obtaining third-party modifications to code.The retailer stated they experienced the following immediate benefits from the Protegrity solution: •Faster PCI audits – The retailer’s PCI audit last year required about seven months. With segmentation, the retailer says the current audit will require half that time.•Lower maintenance cost – “Maintenance is now less expensive because we don’t have to apply all 12 requirements of PCI DSS to every system,” says the Security Project Manager.•Better security – “Everyone agrees the cardholder data is a lot more secure,” says the Security Project Manager. With tokenization, he says the retailer has been able to eliminate several business processes such as generating daily•Strong performance – In addition to the rapid processing rate for initial tokenization, the solution meets the retailer’s sub-second transaction SLA.Another benefit of Protegrity Tokenization has been no significant changes to the ways this retailer analyzes transactions. As part of the implementation, the retailer elected to leave the first six and last four digits of card numbers in the clear. “This satisfies 98% of our daily requirements in applications, reporting, and answering customer questions,” says the Security Project Manager.
Summary: This case study proves that Protegrity Tokenization provides strong security for cardholder and other sensitive data while dramatically simplifying and lowering the cost of protection. Specifically, with Protegrity Tokenization, the retailer simplified compliance with the PCI Data Security Standard while protecting sensitive data. The solution is highly scalable on standard commodity hardware, which lowers CAPEX and operational costs. Technical efficiency of Protegrity Tokenization keeps business processes running smoothly and meets stringent service level agreements. The solution is also easier to manage than competitive solutions, which simplifies and reduces costs of operations.
Protegrity USA, Inc.
5 High Ridge Park
Stamford, CT 06905 U.S.A.