To meet mandates, a U.K. finance company needed a solution to aggregate data from disparate components, reports Greg Masters.
With the holiday season ended, there’s no doubt that retailers and online merchants were put to the test processing customer purchases.
While cash registers rang up store purchases, and home users ordered gifts online, nefarious criminals too were getting in on the bustling shopping season activity to prey on the digital transmissions from home computers or in-store point-of-sale terminals.
As evidenced by massive breaches of customer data – including intrusions into the databases of TJX, parent of TJMaxx, and payment processors Heartland Payment Systems and RBS WorldPay, to mention just a few – miscreants have been mining the personally identifiable information (PII) of consumers conducting financial transactions and successfully stealing millions of card records to use for their own purchases or selling the information in profitable, albeit illegal, online forums.
Nowhere are precautionary measures to thwart these attempts taken so seriously as at banks and financial institutions, where laws and industry guidelines dictate measures that must be taken to protect PII, says Andrew Bover (left), head of information communication technology at finance company 1st Credit, headquartered in Reigate, Surrey in the U.K.
1st Credit is a leading U.K. debt collection agency responsible for managing more than $8 billion in outstanding consumer debt. It manages the debt portfolios, third-party collections and ledger management for some of the U.K.’s leading banks, credit card companies, retailers, utility suppliers and telecom companies – who they buy or service debt from – and the millions of customers whose credit history they are helping to repair.
The company operates a call center as part of its debt-collection operation, which handles online payment from debtors. As such, it is governed by the Payment Card Industry Data Security Standard (PCI DSS), which are rules for payment card data security management, policies, procedures, network architecture and software design.
It is a highly regulated business, says Bover. 1st Credit had previously achieved compliance standards using multiple point solutions for different aspects of its information security, and each of these “did its own thing,” he says, but aggregating the information from each point to attain a complete picture at any one time was difficult.
“It wasn’t just the cost of paying for individual products that had an impact on our business,” he says. “It was the overall total cost of ownership as a result of us having to manage different solutions and keep on top of the reporting requirements.”
With a proven track record in achieving compliance standards – the 200-employee company has won several awards (see sidebar below) and touts its achievement in this area as a critical business differentiator. Reaching this level was a bit of a challenge. Bover, and his 13-person IT staff, needed to aggregate all the disparate information security data being assembled from a number of components to help the company demonstrate its compliance posture. “This demanded a sensible solution that would give us all our core information security functionality in one place,” he says. “But that was easier said than done.”
The search begins
Bover and his team began looking for a solution, as clients expect the firm to demonstrate a level of compliance with standards, such as PCI DSS, the Data Protection Act, a U.K. law instituted in 1998 which is the primary legislation governing the protection of personal data in the nation, and ISO 27001, a standard that formally specifies that a management system charged be in place to bring information security under explicit control. “We’re taking payment from people who were, or still are, their customers and, understandably, they need our assurance that we won’t put their brands at risk,” says Bover.
The team looked at a wide variety of solutions and found that while most of them were fit for the purpose, they were all fairly disparate solutions and would have required a fair bit of work to integrate all the necessary elements, he says.
“I had been looking around for some time before I discovered the right solution,” says Bover. And, the choice was the SureCloud Collaborative Compliance Platform. “It was the only tool we could find capable of aggregating all our compliance data. It was the obvious choice for us,” he says.
The offering is the only software-as-a-service solution that automates and simplifies the entire security management and information compliance process, says Richard Hibbert (left), CEO at SureCloud, a Reading, U.K.-based company that provides software-as-a-service solutions to help achieve compliance. The tool contains four component modules: vulnerability scanning, security information and event management (SIEM), wireless intrusion detection (IDS) and configuration auditing. “These promote continual security improvement,” says Hibbert. “Taking them all together (or individually, if required), SureCloud will assess and monitor networks, applications and wireless local area networks (WLANs), automate key governance, risk management and compliance (GRC) processes and provide actionable intelligence. It all adds up to a simple, cost-effective approach to helping organizations stay one step ahead when fulfilling their ongoing security and compliance obligations.”
SureCloud takes a holistic approach in contrast to competing solutions that only provide a partial view of an organization’s security status, Hibbert adds. It provides software-as-a-service solutions that allow mid-market firms with regulatory obligations to benefit from major savings through automated information security management and simplification of the governance process, he says. “A typical SureCloud customer has a requirement for information security programs, has limited in-house IT security and lacks the budget needed for a traditional enterprise compliance solution.”
At 1st Credit (left), for example, the SureCloud solution includes management of vulnerabilities, logs and the company’s WLAN, as well as penetration testing services. Being a SaaS platform, the central platform is updated once and all customers benefit, Hibbert says.
Deployment across the entire company was seamless, says 1st Credit’s Bover, adding that to date, he has had no issues with the product.
Further, management and operation are easy, he says. “It’s an appliance that sits in our rack and does exactly what it was set up to do. Reporting and management are done via an easy-to-use web interface with the ability to export data and reports into Excel or PDF for reporting or producing work instructions.”
The ability to aggregate data and provide increased visibility across point solutions is just one of a number of benefits accruing from SureCloud’s Collaborative Compliance Platform, Bover says. 1st Credit has also gained reduced total cost of ownership (TCO) with multiple point solutions in a single platform, a clear user interface with easy access to information, high-quality penetration testing services, and highly responsive customer support from SureCloud, he says.
A complete picture
And, the tool has delivered. In November, for the third year running 1st Credit received the Compliance Team of the Year award at the prestigious Debt Collection Awards, held in Manchester, U.K. “In order to achieve this we had to demonstrate a culture of compliance throughout every aspect of our business, and SureCloud really assisted with this from an IT perspective,” says Bover. “It gives us a complete picture of our information security and PCI DSS posture at any one moment in time via a single platform.”
He says that when using the tool his team can drill down into the information as required, making it easy to identify any potential vulnerabilities so as to quickly resolve them with the service desk. “In effect, we have gained a PCI DSS reporting dashboard that not only assists in maintaining compliance, but also makes it demonstrable.”
1st Credit is currently working with SureCloud on expanding the compliance portal to include third-party vendor management as it works toward ISO 27001. This will save the IT team a considerable amount of time in ensuring the compliance status of third-party vendors that it uses, and allow the limited time available during site audits to be focused on areas of concern as opposed to data gathering, says Bover.
In mid-November at the Palace Hotel in Manchester, U.K., 1st Credit achieved an unprecedented first for the industry. The finance company was announced winner of the ‘Compliance Team of the Year’ award for the third year running at the Debt Collection Awards, produced by Credit Today, an online portal for trade credit professionals.
“It is great to be recognized by the industry for the hard work and dedication of the 1st Credit employees,” said Eddie Nott, CEO for 1st Credit. “The compliance team deserves huge congratulations. This is a very proud day for all at 1st Credit.”
Compliance is at the heart of all policies and procedures at 1st Credit, he added, and the firm continues to enhance and develop existing compliance strategies and to introduce new initiatives throughout the company – both for the benefit of the business and its customers.
“We are extremely proud of this magnificent accolade,” said Bob Kingdon, head of compliance for 1st Credit. “To win the award for a third year is fantastic. At 1st Credit, we are committed to driving best practice both within our own business and across the industry, and will continue to do so.”
PCI DSS: 12 requirements
Build and maintain a secure network
1: Install and maintain a firewall configuration to protect cardholder data.
2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
3: Protect stored cardholder data.
4: Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program
5: Use and regularly update anti-virus software.
6: Develop and maintain secure systems and applications.
Implement strong access control measures
7: Restrict access to cardholder data by business need-to-know.
8: Assign a unique ID to each person with computer access.
9: Restrict physical access to cardholder data.
Regularly monitor and test networks
10: Track and monitor all access to network resources and cardholder data.
11: Regularly test security systems and processes.
Maintain an information security policy
12: Maintain a policy that addresses information security.
Source: NDB Advisory