The Challenge: In the wake of stricter PCI Compliance standards, Tier 1 retailer “RetailMart Corp.”* needed a method of securing cardholder data throughout its operations. The company had acquired an array of sensitive data over the years, including customer information databases, credit card holder data and custom financial reports.

Potential Solutions: RetailMart had a choice between upgrading its legacy POS system and implementing 2Encrypt.

The Decision-Making Factors: In deciding which option to choose, RetailMart took into account a number of factors, including: 

• The cost of the solution
• How long it would take to implement
• Whether it would protect all of the company’s sensitive data

Assessing the situation: RetailMart determined that upgrading their legacy POS software was likely to cost $1,000,000, while the 2Encrypt option came in at about $300,000. The difference, while significant, wasn’t enough to discourage RetailMart from the store systems upgrade. When the company factored in the length of time it would take to implement both solutions, the decision was clearly in favor of 2Encrypt.

            Why? Because the new version of their store systems would touch every aspect of the business. This would have required extensive testing to determine the impact on all store systems. Also, downstream systems such as Settlement, Sales Audit, Loss Prevention and ERP would have been affected.

The upgrade would need to be rolled out slowly; first by piloting it in a few stores and then moving it out to small store groups, to ensure there would be no adverse impact on store operations. RetailMart estimated that the whole process would take 18 months or more, during which time its IT department would be tied up with the implementation. They did not want to pull people and resources away from other projects that had potential to add value to the business. “It’s a security enhancement” says Rick Williamson, Managing Partner of Red Iron Technologies. “It doesn’t actually move your business ahead and there’s a huge opportunity cost.”

By contrast, 2Encrypt was designed solely to meet PCI Compliance standards governing encryption and key management. It concerned itself solely with ensuring that sensitive data would not be compromised. Says Williamson: “2Encrypt doesn’t touch the core software program so you don’t have to test it quite so extensively to ensure it doesn’t affect payment and settlement.” Instead, 2Encrypt could be quickly tested in the lab – much the same way that an Anti-Virus software application would be tested - and then rolled out rapidly in a period of a few weeks. RetailMart would be able to allocate scarce IT resources to other projects.

Cost and time factor aside, RetailMart wanted to ensure that the solution it chose would provide end-to-end protection for all of its sensitive data. The company discovered that, like most vendor-supplied solutions, the POS software upgrade would only protect data generated within the POS system. The problem for RetailMart lay in the fact that over the years it had developed many customized reports and other applications that didn’t fall under POS application umbrella. That information would be vulnerable. 2Encrypt had the advantage of enabling RetailMart to specify exactly which information they wanted encrypted up front.

Given 2Encrypt’s ability to meet all its needs with a minimal investment of time, money and a high degree of security, RetailMart opted for implementation of that solution.

Delivering the Solution: RetailMart had already done an in-depth assessment to determine which data should be subject to encryption. The first step in implementing the solution was to work with Red Iron Technologies to come up with a configuration file with a list of applications, along with the data that application would have access to. The process took approximately three days.

            Once the data configuration file was complete, 2Encrypt was ready for testing in the lab. RetailMart already had a firewall in place and had come up with a series of guidelines to ensure that the company met the other PCI compliance standards for handling customer data, such as network and physical premise requirements. Now the company was concerned with determining whether 2Encrypt fulfilled three specific functions: protecting stored cardholder data, protecting encryption keys, and encrypting data for transmission from retail stores to head office and back. The result: After two weeks of testing, 2Encrypt was released to all of RetailMart’s stores.

Return on investment:

• An independent security audit confirmed that RetailMart is now meeting all of the requirements of the PCI Data Security Standard.
• RetailMart’s data encryption takes place seamlessly and transparently. In fact, the cashiers who make up the system’s end users have commented on the fact that there has been no slowing of POS applications such as credit card authorization. 
• RetailMart estimates it has achieved cost savings of $500,000 to $1 million by opting for 2Encrypt’s solution over upgrades to existing legacy software.
• Because the implementation went smoothly and quickly, RetailMart was able to allocate scarce IT resources to other areas that will add value to the business.

Would you like a copy of this case study as a PDF?

Please let us know where to send it.

 

	Required fields have an asterisk *
	Email: * Name: * Company: Phone:

Need more information?

• Request a contact.