This article describes how Mercury Processing Services International (Mercury PSI) managed to address increasing regulatory pressure from PCI and GDPR data security and privacy requirements by implementing comforte’s SecurDPS Data Protection Suite. The solution provides encryption and tokenization capabilities and integrates transparently on HPE NonStop systems as well as on Windows, Unix and Linux. MPSI was able to secure all sensitive data on their systems without any impact on their high service levels.
Mercury Processing Services International is a provider of payment solutions, dedicated to developing and managing its payment business on an international level. They serve over 5.6 million accounts in the financial and banking sectors across Europe, the Middle East and Africa and, on average, they process 1.8 million transactions per day.
Technological expertise is the main driver of enhancing and enriching their existing business relations, as well as the main source for the innovations that they provide in the payment industry with a clear focus on Security and Compliance.
- Handling 1.8 million transactions per day now compliant with PCI and GDPR data security requirements by rendering all sensitive data unreadable.
- Efficient data protection will enable Mercury PSI to process even greater volume of transactions.
- Highly flexible and scalable solution implemented quickly and easily.
- Fulfil key data security requirements of GDPR and PCI DSS
- Reduce risk and potential impact of data breaches
- Protect sensitive data to enable secure transfer between insiders and partners
- Maintain service levels
Challenge: PCI and GDPR Compliant Data Protection
The project began with tackling the PCI requirement of protecting cardholder data and later expanded to cover the protection of additional data elements in order to comply with the GDPR.
According to PCI Requirement 3.4, cardholder data must be rendered unreadable wherever it is stored. Cardholder data is defined as a Primary Account Number (PAN) and any data that can be tied directly to a specific PAN, such as the cardholder’s name.
GDPR requirements go a step further as they require similar protection for personal data. Personal data has a much broader scope than cardholder data and is defined as any data that can be traced back to an actual person, including a name, address, nationality, biometric data, etc.
Additionally, both the GDPR and PCI DSS stress that sensitive data should only be visible on a need-to-know basis within the organisation and among its partners. That means that it should also be rendered unreadable within the organisation to avoid accidental exposure to insiders and partners.
Mercury PSI needed a solution that would properly protect all of these types of data not just for the sake of compliance, but also so that they would have another layer of protection that would render data useless to potential hackers. Hackers are constantly devising new ways to crack into systems so it is essential to have a data-centric solution at the core of the organisation’s data security strategy so that in the event of a breach, the data accessed has no exploitable value.
Mercury PSI chose comforte’s SecurDPS to protect their data as it fulfilled their data protection requirements and could be implemented quickly and easily, without interrupting the business.
SecurDPS reduces business risk as it replaces in-the-clear sensitive data with a token value that is meaningless if it is exposed. A data-centric security strategy protects the data itself so that even if all other security measures fail, the data at the core will still not be exploitable. This also fulfils the PCI and GDPR requirements for no sensitive data on core enterprise components.
Furthermore, tokenized data is protected from accidental exposure to unauthorized insiders and third party vendors as it can only be accessed with proper authorisation. This helps reduce dependency on compensating controls as a temporary measure to pass security audits and fulfils the PCI and GDPR requirements that sensitive data only be accessible on a need-to-know basis.
“The digital payments market is constantly growing and with that comes the need for evermore care and consideration for data security. Mercury PSI is dedicated to staying ahead of the game and so we have added another layer of defence to protect our customers’ data. This will offer us even greater support in our mission to deliver reliable services safely and securely”.
– Jasna Fumagalli, Compliance, Security and Risk Management Director at Mercury PSI
Data Protection with a Light Footprint
Mercury PSI processes on average 1.8 million transactions a day, so they needed a solution that could be implemented without interrupting the business or affecting service levels. Tokenisation offers protection without the performance pitfalls of classic encryption by preserving the format and utility of the protected data so that business applications and analytics can operate on tokens rather than sensitive data in the clear.
In addition, SecurDPS is highly flexible and scalable so it could be implemented without any changes to the application source code. This meant that the solution could not only be implemented in a matter of weeks rather than months, it was also done without affecting service levels.
“We were very satisfied with comforte’s readiness to handle whatever requests we had, wherever and however they arose. Their dedication and diligence were essential to this project’s success”.
– Giovanni Cetrangolo, Head of Strategic projects and innovation at Mercury PSI
The benefits of this project go beyond simply fulfilling PCI and GDPR requirements for data protection. In the unlikely event of a data breach, all sensitive data will be unreadable and have no exploitable value to hackers, which greatly reduces the impact of a potential breach.
Furthermore, tokenised data will help secure Mercury PSI’s growth as it is now much easier for them to exchange data with partners and customers while keeping sensitive data protected. Since they no longer rely on compensating controls and can do business much faster, they will be able to get the most out of the rapidly growing market and provide processing services to more customers than ever.
“We at comforte take pride in our proven track record of providing financial services organizations with robust and reliable data security solutions. We are very pleased to help Mercury PSI secure their data and ultimately secure their growth”.
– Michael Deissner, CEO at comforte
Secure your Growth with comforte
With more than 20 years of experience in data protection on truly mission-critical systems, comforte is the perfect partner for organizations who want to protect their most valuable asset – data. comforte’s Data Protection Suite, SecurDPS, has been built from the ground up to best address data security in a world that is driven by digital business innovations, empowered customers, and continuous technology disruptions. We are here to help secure your growth by providing expertise, an innovative technology suite, and local support.