Global Bank Secures Data and Meets PCI Compliance Goals

PKWARE's data-centric approach to security helped one of the world's leading financial institutions secure millions of unprotected files before a critical compliance audit. Here's how it happened.

The acquisition and the audit

A large global bank had just completed its acquisition of a payment processing company, and was preparing for a PCI DSS audit of the new business unit’s systems and processes. The bank’s audit and security teams were concerned about the possibility that credit card numbers and other forms of sensitive data had been stored without appropriate protection.

An unsustainable risk

PCI DSS requirements call for credit card information to be encrypted in transit and at rest. The bank could ensure compliance for card data in its structured data environment, but unstructured data was another story.

Internal audits conducted after the acquisition revealed that some employees were storing unencrypted credit card numbers on their computers. However, the bank’s security administrators could not determine how widespread the problem was. They could not gain visibility into the files that were being stored on employee desktops and laptops (and being synced to the cloud) without conducting manual audits on each of the devices—an infeasible undertaking even for one of the world’s largest banks.

If the upcoming PCI audit revealed the presence of unprotected credit card numbers, the failure could lead to a series of negative consequences, including fines, industry sanctions, reputational damage, and disruptions in critical operations.

Automated Data Redaction from PKWARE

The bank needed a solution that could provide visibility into files saved on employee computers, and could protect and remediate data that was being stored inappropriately. Most of the available products provided only one capability or the other, but implementing two new solutions—one to scan data and another to remediate it—would drain resources and increase the risk of an audit failure.

The bank had been using PKWARE solutions for data compression and encryption for years, and began to evaluate PKWARE’s automated data redaction technology. PKWARE was quickly identified as the preferred solution because it combined all of the capabilities the bank required:

  • Continuous scanning of new and modified files to determine whether the files contain credit card numbers.
  • The ability to redact digits from credit card numbers while leaving other file contents unchanged.
  • An automated workflow that requires no manual intervention by administrators or end users.
  • A centralized control panel that allows administrators to define policies, deploy agents, and monitor activity in real time.

The bank’s security administrators deployed PKWARE’s redaction software on 30 employee desktops and laptops as a pilot implementation. The results were alarming: on those 30 computers, PKWARE detected 4,100 files containing more than 74 million credit card numbers between them.

Having determined the severity of its risk, the bank deployed PKWARE’s automated data redaction solution on each of the newly-acquired company’s laptops, desktops, and file servers—more than 3,700 devices in all. PKWARE automatically detected and remediated millions of files containing credit card numbers, eliminating an otherwise unmanageable risk. Shortly after the deployment, the bank achieved 100% compliance on its PCI audit.

Looking ahead

The bank’s IT executives were highly impressed with PKWARE’s ease of deployment and unmatched capabilities. Shortly after deploying PKWARE’s automated data redaction solution within its payment processing business unit, the bank made the decision to expand its installation, deploying the software on hundreds of file servers and more than 250,000 laptops and desktops across the enterprise.

With its automated redaction solution in place, the bank is able to take thousands of devices and millions of files out of scope for its PCI audits, simplifying its compliance efforts and maintaining the security of its customers’ data.

Case Study

Download a PDF version of this case study.

Download PDF

The PKWARE Difference

PKWARE delivers the capabilities your organization needs to take control of sensitive information and apply your data security policies across the enterprise.