RSIEH (Law Firm) achieves PCI DSS compliance with the help of Vormetric
Rausch, Sturm, Israel, Enerson & Hornik, LLC (RSIEH) is a debt collection law firm headquartered in Wisconsin with offices in 13 states and a nationwide network of firms for clients seeking additional coverage. In service of premier multi-state law firms, RSIEH operates facilities with state-of-the-art data management, software, imaging, call center and analytics.
RSIEH operations include the collection of credit card information and cardholder data. RSIEH needed to achieve compliance with the Payment Card Industry’s Data Security Standard (PCI DSS). Lawyers and staff regularly receive and process documents containing credit card holder data affected by PCI DSS, and consequently clients required RSIEH to get certified for PCI DSS.
Rick Olejnik, RSIEH’s Chief Information Security Officer (CISO), commented that, “In the legal collection industry, PCI is a requirement getting applied to firms, and we needed to encrypt data at rest to get the PCI certification.”
The PCI DSS Requirement 3 to “protect stored cardholder data as part of ongoing operations.
RSIEH collects sensitive information in several locations with the largest repository being the Commercial Legal Software (CLS) Collection-Master application, a commercial off-the-shelf application that provides a critical element for RSIEH’s business operations. CLS Collection-Master processes a variety of documents and information involved in the debt-collection process, much of which contains sensitive cardholder information, and it does not have integrated data security functionality. PCI DSS required securing the volumes of images containing cardholder data used by CLS Collection-Master.
RSIEH needed a solution that could secure both structured database information and unstructured image files used by the CSL Collection-Master application. RSIEH research various options and had initially attempted to use open source TrueCrypt volume encryption software, but found that the offering broke IT operations processes including backup and vaulting.
RSIEH researched the market and commissioned an outside resource that located Vormetric Data Security as an option to encrypt both structured and unstructured data. RSIEH needed to protect Windows Server 2008 R2 servers running in a VMware virtual environment with data residing in a Storage Area Network (SAN). While the CLS Collection-Master information was unstructured flat-file information, other servers requiring security included SQL Server 2008 R2 and SQL Report Server.
RSIEH’s CISO Olejnik observed that, “We brought [Vormetric] in, tested it, threw everything at it to see if anything broke. Se threw SQL, flat files and a variety of other workloads at it, but have not found a real problem or noticed any system slowdown.”
RSIEH was able to obtain their PCI DSS certification and currently has Vormetric Data Security protecting both structured and unstructured data. This PCI DSS certification is a milestone as RSIEH works to obtain ISO 27001 certification in the near future.
Vormetric Data Security
Vormetric provides a proven approach to securing data affected by PCI DSS. Vormetric Data Security can by quickly deployed to encrypt data without changes to applications, databases or the underlying hardware infrastructure. Utilizing high performance encryption, this transparent approach enables enterprises to meet data governance requirements with a rigorous separation of duties without changing the application performance characteristics.