This Bank has the largest network of ATMs and branches in Thailand, with nearly 6,000 ATMs and over 1,000 branches throughout the country. They handle the travel, capital accumulation, and home deposit savings of millions of citizens. The Bank’s total assets amount to 2.62 trillion baht (THB), equivalent to approximately 80 billion USD, and in 2014 it had an operating income of 26.9 billion baht or approximately 826 million USD.
Its history goes back to 1913 when King Vajiravudh (Rama VI) founded a savings office as a part of the Royal Treasury to promote a habit of thrift and savings in Thailand. This savings office continued to grow throughout the decades thereafter and eventually evolved into the Bank it is today. Building on its tradition of offering banking services to the Thai people in order to secure economic growth, security has always been a top priority.
- One of the largest banks in Thailand achieved PCI compliance by rendering payment card data unreadable
- Cardholder data discovery tool mapped out sensitive data on a large and complex network
- Platform independent solution allowed for easy implementation between both legacy and modern infrastructure
The threats to sensitive data are constantly evolving, and therefore financial institutions have to continually adapt their data security strategy to stay ahead of the curve. The main challenge for the Bank was to upgrade their data security apparatus to PCI DSS standards on a vast network with a complex infrastructure on a relatively short timeline.
Data Protection and PCI Compliance
The project began in response to a mandate from the Bank of Thailand, the country’s central bank that all banks in Thailand bring their data security up to par with PCI DSS. The mandate also included a deadline, so the project had to be completed within a relatively short amount of time.
PCI Requirement 3.4 requires that data be rendered unreadable anywhere it is stored. This serves to minimize the chances of a breach and, in the event that a breach does happen, it also minimizes the impact of that breach.
This is a top priority because the Bank has millions of customers who rely on them to keep their data safe.
Implementation in a Large and Complex Network
The Bank uses ACI’s Base24 and Base24 EPS in a hybrid infrastructure for their payment frontend, which runs on mission-critical systems from HPE. Both systems use different file formats, which can make data discovery and mapping more complex. Many of the files were exceptionally large, and the log files were not indexed, further complicating the task of data discovery. These factors posed a critical challenge because the files must first be located to secure sensitive data, then pseudonymized and monitored properly.
Additionally, few vendors offer a data protection solution that can easily be implemented on a hybrid infrastructure. Typically, this would require a painstaking process of amending source code, costing precious time and resources. They needed a solution that could be implemented on the fly without any interruption of services.
“Our project to increase our security for payment card data was a top priority from our management team, who wanted to ensure our payments systems met the mandate by the Bank of Thailand for all banks to be PCI DSS compliant.” – Bank IT Team
Goals of the Bank
- Achieve PCI compliance
- Identify and index all sensitive data
- Protect cardholder data
- Pseudonymize sensitive data
- Reduce the impact of data breaches
- Fulfil PCI compliance requirements of partners and key customers
- Fulfil technical requirements across the countrywide network
- Maintain service levels
The Bank needed an easy-to-implement solution that would map out sensitive data across a large and highly complex network and render that data unreadable, all without affecting service levels.
The Next Level of Data Security
PCI DSS Requirement 3.4 stipulates that PANs must be rendered unreadable anywhere they are stored. To fulfil this requirement, the Bank chose comforte’s Data Protection Suite, SecurDPS. SecurDPS is an enterprise-wide solution that employs stateless tokenization to render sensitive data unreadable and therefore useless to potential hackers.
Tokenization differs from classic encryption in that the type and length of the data remain the same, and only sensitive parts of the data are replaced with non-sensitive substitutes. As such, tokenization provides best-in-class data-centric security without the performance pitfalls of encryption. This was a critical distinction given the size of the bank’s network and transaction volume.
“After careful research and consideration with the help of our partner – DataOne Asia, we selected SecurDPS from comforte to provide the technology to deliver the highest level of data security for our payments processing.” – Bank IT Team
DataOne Asia is a trusted partner of the Bank that provides them with IT consulting and management services. They compared comforte’s offering to that of our competitors and chose comforte because we are able to provide data protection that was compatible with their large and complex IT landscape.
Data Protection that Snaps Right in
In order to fully comply with the mandate from Thailand’s Central Bank, the Bank had to achieve PCI compliance within months rather than years. SecurDPS offers transparent integration meaning it can be implemented on a complex IT infrastructure without any changes to existing applications. This made it possible to effectively secure data in a fraction of the time and at a fraction of the cost.
Another factor that contributed to the project being completed so quickly was the excellent collaboration between everyone involved:
“DataOne and the comforte team have been excellent partners for us throughout this project. There is a high level of commitment, understanding and trust between the Bank, DataOne, and comforte.” – Bank IT Team
Mapping out Sensitive Data on Mission-Critical Systems:
Before sensitive data can be rendered unreadable, it has to be correctly identified and mapped out. The solution included a tool from a comforte partner designed for mission-critical HPE systems that scans the network and detects any unprotected Primary Account Numbers (PANs), utilizing only minimal system resources. Once sensitive data has been discovered and pseudonymized, the tool also has a function to demonstrate that all PANs across a system are protected in accordance with the PCI DSS. This function was key in demonstrating compliance in order to pass audits.
The Bank accomplished every goal they set out to achieve. The project was completed on schedule and on budget thanks to the transparent integration, excellent communication, and dedicated support from our team.
“Overall, we are very satisfied with the support, effort, and solutions from comforte. As the software vendor and developer of SecurDPS, comforte brings a high level of expertise and project management skill. Our team is confident in our ability to safeguard our customers’ payment card data as a result of this project.” – Bank IT Team
The Bank is now PCI compliant and recently passed an audit from Thailand’s Central Bank. Their platform-independent tokenization solution satisfied PCI Requirement 3.4 by rendering sensitive data unreadable anywhere it is stored. This also means their millions of customers can rest assured that their payment card information is safe.
Since the initial implementation of SecurDPS, comforte continued to support the Bank in its mission to secure customer data by providing them with additional capabilities and support to fulfil new requirements.
Learn more about comforte’s data protection platform SecurDPS.