RewardsNOW enjoys PCI DSS Compliance with Vormetric Encryption
Founded in 1997, RewardsNOW offers fully turnkey, enterprise-wide loyalty programs – also known as relationship rewards programs – for hundreds of financial institutions. On the INC. 5000’s “fastest growing companies” for the past five successive years, it has enjoyed proven success in helping credit unions, and commnuity, regional and national banks provide individualized programs to offer rewards to their customers and members.
Now over $15 million in revenue, the company has recently expanded into additional industry verticals – such as retail, associations and organizations, health-related, and other organizations outside of the financial industry – attract, retain and grow their customer bases. The company also launched a merchant-funded shopping network, called ShoppingFLING that provides additional value as part of a rewards program. ShoppingFLING also has been implemented as a standalone product. In order to build a tailored program containing reward discounts or other special offers to encourage continued loyalty, RewardsNOW has to assemble a detailed profile of the engagement patterns of a client’s customers.
Richard Tremblay, Security Officer for Rewards- NOW, explained, “We receive full data feeds of customers’ debit and credit card transactions to comb through – using business rules that have been jointly defined – to create customized programs that will actively incent further participation.”
The volume of transactional data needed to construct a comprehensive understanding of each client’s business environment can be enormous, and always requires careful and diligent handling. Tremblay elaborated, “As we receive credit and debit card information we have to make sure that it is stored securely and in complete compliance with the Payment Card Industry Data Security Standard (PCI DSS).” Paul Butler, RewardsNOW’s Database Development Team Leader, noted, “While we don’t actually process credit card transactions, it’s our storing of the sensitive data that makes it essential to ensure the security of the data and to conform to thePCI DSS standards.”
A key component of complying with the PCI DSS is the protection of cardholder information. “We wanted encryption for our file transfer protocol (FTP) server from the point we receive customer feeds, as well as other servers that needed protection,” stated Butler. “In addition, we were always concerned with the overhead imposed by key management activities and therefore wanted to streamline this function.”
Tremblay added, “Prior to the first audit we worked with our Qualified Security Assessor (QSA) to do a preliminary review to prepare us for attaining PCI Level 1 certification. Even though the SQL Server database had built-in encryption, the QSA advised us that it did not satisfy the PCI Council’s criteria for data encryption at either the database or operating system levels.”
“We did a lot of research to find the right tools that could deliver the levels of encryption and functionality we required with a goal to select best-of-breed components,” recalled Butler.
Tremblay noted, “Doing due diligence, we looked at a variety of options, including open source tools, to identify possible solutions. We found nothing suitable in open source, but among vendor solutions our investigations showed Vormetric Data Security satisfied all of our requirements – and more!”
Vormetric provides a proven data security solution to enable rapid compliance with multiple aspects of PCI DSS. Vormetric Data Security delivers industry-leading data encryption and key management capabilities without the need to modify existing infrastructure components. High performance encryption methods ensure negligible impact on transaction throughput and a sophisticated Web-based management console minimizes incremental operational overhead.
“While many companies go through a proof of concept with new security solutions, we were sufficiently confident to just bring in the Vormetric appliances,” said Butler. “A Vormetric consultant arrived onsite and helped set up the environment. The deployment experience was awesome and totally painless! The consultant walked us through device configuration using the Web-based portal to define encryption rules and mount points. We did the FTP server first and it worked perfectly right from the get-go.”
RewardsNOW’s production data center is hosted by a company based in the southwest U.S. Encryption was set up to cover the core Windows-based SQL Server database cluster. “We configured guard points on all nodes of the SQL Server configuration because we run an active-active cluster and wanted to protect the database files, logs, backups and also the file shares that hang off the cluster,” stated Tremblay.
Under PCI DSS specifications, encryption key rotation must be performed at least once a year. “We had a Vormetric support technician on the phone and he walked us through the key rotation process; it was quick and totally straightforward,” said Butler.
“This was huge accomplishment because we didn’t have to rekey each individual guard point. It was a ten minute exercise at most!” reflected Tremblay.
Most importantly, RewardsNOW achieved its goal of being PCI DSS Level 1 compliant on schedule. “The Vormetric implementation was so fast and smooth it allowed us to focus on other areas that needed to be addressed to meet the regulations in the tight timeframe,” remarked Butler.
Flexibility for Future Growth
In addition to the current server cluster, the company is evaluating locating a secondary site for disaster recovery purposes on the east coast. “The Vormetric solution can handle a geographically dispersed active-passive cluster configuration just as well as it protects our current configuration,” stated Butler, “and we really appreciate the flexibility that this provides.”
Tremblay concurred, “To be able to have a transparent solution that can flexibly accommodate any infrastructure configuration as we continue to grow is very valuable to us, and will obviously save us capital expenditure in the future.”
He concluded, “We are a modest IT organization in a rapidly growing company so we look for partners that can deliver reliable products that work as described, provide support when we need it, and accommodate our growth: Vormetric does exactly all of this.”