Encryption Required For Payment Card Industry Compliance
Founded in 1999, Revelex has become the leading technology company in the travel industry. The company provides travel technology solutions—including the most comprehensive reservation system in the business—to hundreds of worldwide companies of all sizes. Revelex services span all travel sectors including airlines, hotels, car rentals and cruise lines.
Revelex provides services to approximately 5300 clients with close to 2000 consumer websites. Via websites, consumers access the company’s Sybase ASE database for profile info and itinerary data as well as information on a variety of travel services. The system serves as many as 10 million requests every day by approximately one million consumers. Several years ago, as several large clients began to require compliance with the PCI DSS and Sarbanes-Oxley, Revelex began to research options for encrypting its ASE database in order to meet those compliance needs.
"We needed to encrypt credit card as well as all personal consumer information that flows through our system," says Scott Martin, Database Administrator for Revelex. "We were also under a time crunch related to some of our major client contracts. We needed to deploy an encryption solution within three months to meet their requirements on-time and to keep their business."
Revelex analyzed third-party encryption options and also considered encrypting the ASE database through internal coding. The company then took a close look at the ASE Encrypted Column Option. With this option, ASE protects data from both internal and external security breaches. The Encrypted Column Option also provides a combination of regulatory compliance and customer privacy so that firms like Revelex can keep data secure at all times—whether in transit, when accessed, or while at rest.
Sybase Encryption Offers Fast Deployment with Short Learning Curve and Straightforward Implementation
During the evaluation phase, Revelex database programmers tested third-party encryption algorithms and libraries as well as middleware systems. All of these options involved a steep learning curve, and they all required recoding of the application.
During evaluations, it became readily apparent Revelex could use Sybase encryption without having to recode its database application. The Sybase solution was seamless, and programmers did not have to go through a learning curve. "Of all the options we evaluated, Sybase offered the cleanest install and fastest deployment," Martin says. "The ASE Encrypted Column Option was easy to deploy, provided the features we needed within our required time frame, and provided a shallow learning curve. These were critical factors in convincing the IT team as well as company executives and the development teams that Sybase was the way to go. In the end, it turned out to be an easy decision."
The deployment of the ASE Encrypted Column Option also turned out to be easy for Revelex. "We had very little syntax to learn and were able to deploy the option completely on our own," Martin says. "We just relied on the normal customer support channels over the phone and by following the best-practices guide already established by Sybase."
Full PCI Compliance Achieved Within Three Weeks
The ease of the deployment helped Revelex beat their encryption deadline well ahead of time. Full PCI compliance was achieved three weeks after deployment began, and full protection of personal information was achieved within 45 days. The Sybase encryption technology has also streamlined third-party PCI compliance audits, which Revelex must conduct on an annual basis.
"Sybase makes it easy to demonstrate compliance," Martin says. "We simply take the auditor through our various compliance aspects—such as how we store keys in a separate database, how our encryption algorithms work, our separation of duties, and our password-protected roles. Sybase helps us meet all of these standards, and when our auditor, Trustwave, sees that Sybase technology is involved, they know that we are using a reliable technology, which facilitates their acceptance of the results."
In addition to providing compliance with the PCI DSS, the Sybase ASE Encrypted Column Option also allows Revelex to comply with the European Union's Safe Harbor Framework, which ensures personal information from European customers remains safe when transacting business with firms in the United States.
PCI Compliance Positions Revelex for Growth
Obtaining PCI compliance was mandatory for Revelex to sign new contracts with its major clients, and without compliance, expanding the business would have been difficult. “Our customers require PCI compliance, so this was critical in helping our business to continue thriving," Martin says.
PCI compliance is also critical for Revelex customers as it affects their partnerships with major credit card companies. If a firm is not PCI-compliant and suffers a credit card system breach, the repercussions could be significant. A breached business risks termination of their Visa or MasterCard contract, which could put the firm out of business. But if a breach occurs to a firm in compliance with PCI, the business is on safer ground. It would simply mean more frequent or more in-depth audits.
In addition to providing compliance with external standards, the ASE Encrypted Column Option also offers an additional benefit for Revelex through the low-level security it provides at the user level. Revelex can deny unauthorized internal users access to specified database tables and can decrypt specific columns to establish column-level-permissions. This limits who can access certain types of information and provides the utmost control.
"For example, we can prevent certain users from seeing dollar amounts on items we don't want to publicize to the entire company," Martin says. "Someone in customer service can see a cruise itinerary but not what it sold for. This allows us to limit financial information access to only financial staff and senior executives."
This is a key benefit since the number-one security issue that companies face is an attack from internal access. The ASE encryption keys are controlled by a limited number of people, and because Revelex prevents employees from accessing certain areas, IT can spend less time watching users and more time on strategic initiatives.
"We can also give technical support personnel access to the database to solve issues but without giving them access to personal and credit card information," Martin says. "Tech support and customer service can now do their jobs without us putting our security in danger. They can see pertinent data but not data that needs to be restricted."
Lessons Learned When Adding Encryption
For other companies that are considering adding encryption to their database, Martin offers these suggestions:
"Keep the learning curve as short as possible because you will be dealing with new processes and new documentation as you work with auditors to meet the standards. You want to make the actual encryption process as simple as possible so it's best to go with a proven product like ASE Encrypted Column Option. When we tell auditors we are using Sybase encryption, it helps the process because it's already a proven platform."
"Our IT staff’s knowledge of ASE meant we needed very little training on the ASE Encrypted Column Option," Martin adds. "It was a natural fit to an already robust system, so it was an easy sell to our management team. The other solutions would have required significant code changes."
Next-Up: In-Memory Database
Another ASE option that Revelex is considering is the ASE In-memory Databases Option, which equips applications with instant responsiveness and higher throughput. The ASE in-memory database has a zero-disk footprint and resides completely in memory. "We have many circumstances where we use session data stores that need to be accessed on a regular basis by multiple machines, and we need that access to occur as fast as possible," Martin says.
Revelex is considering the ASE In-memory Databases Option for speed, but also to increase reliability. Each day, Revelex receives as many as 10 million database requests from one million consumers for profile information, itinerary data, cruises, hotels, airlines and other travel information. To track which consumer submits each request, the data requested, and when responses are returned, Revelex uses session management and caching of data. The session information tracks which pages a visitor goes to and what info they request, and an identifier is attached so the front-end application can quickly access that data.
"We need to store a lot of consumer data in each session, and this is why we are considering using the ASE In-Memory Databases Option," Martin says. "We don't need to store this type of data permanently, but we need to track every page and the information requested. For example, if a customer requests information on cruises, we may generate 500 options. We want to store this in case they need to filter the data further, and storing the data in the ASE in-memory database will allow faster access to data and improved quality of service for our customers."