How Alagasco Integrated A Best Practices Sensitive Data and PII Security Solution to Achieve Success In The Cloud Pawan Racha- Sr. SAP Security Engineer, Alagasco Eric Bushman- VP Solutions Engineering, Paymetric, Inc. SESSION CODE: BT1666
AGENDA About Alagasco About Paymetric Challenges Alagasco faced when protecting PII Solution chosen and why Description of Project Lessons learned Value received Questions/Wrap Up
ABOUT ALAGASCO Headquartered in Birmingham, Alabama Largest natural gas distributor in Alabama Serves 425,00 Customers The Laclede Group, Inc. (NYSE: LG), headquartered in St. Louis, Missouri, is a public utility holding company whose primary business is the safe and reliable delivery of natural gas service to more than 1.5 million residential, commercial, and industrial customers across Missouri and Alabama. Its Gas Utility segment consists of three natural gas utilities: Laclede Gas (serving St. Louis and eastern Missouri), Missouri Gas Energy (serving Kansas City and western Missouri) and Alabama Gas Corporation (serving more than 200 Alabama communities including Birmingham and Montgomery.)
ABOUT PAYMETRIC
TIME FOR CHANGE Current Data Breach Statistics The Average cost of a data breach in 2014 was $201 per record Average customer churn increased 15% in 2014 following a breach 44% percent of data breaches in 2014 were the result of a malicious or criminal attacks According to the Ponemon Institute 2014 Cost of a Data Breach Study, All organizations have a 1 in 5 chance of experiencing a data breach in the next 24 months. The good news is that analyst studies have shown that users of data tokenization experience up to 50 % fewer security-related incidents. Internet Retailer Magazine. Source: Ponemon Institute Cost of a Data Breach Study 2014
CHALLENGES FACED Realization that sensitive data was being exposed on computers and in systems throughout the company, and it was time for change Alagasco needed to protect their sensitive data such as Bank Account, SSN, Tax ID numbers, Driver s License numbers, and Supplemental social security number Identify who needs access to personally identifiable information (PII) While tokenizing, non standard field came back as errors Developers worked with Paymetric on flexible token format: Flextokens Need data protection across all systems- HR, CCS, CRM, ECC systems- required extensive testing Data was growing in an ever-expanding SAP footprint
SOLUTION CHOSEN AND WHY Evaluated solutions for masking data versus tokenizing data Aha moment: Masked data STILL LIVES IN YOUR SYSTEM A tokenization solution was decided upon as we evaluated providers Paymetric was chosen based on meeting all of the points we needed in the PCI compliance checklist and that data was truly not touching our system at all. Very professional and very descriptive of the processes discussed. The niche for providing the full service we needed, not just for securing PII data but for the payment services we need as well Putting a partner in the mix deters the bad guy External risks to prevent against: risk of breach, risk of data exposed to staff members. Protecting against adversaries but also protecting our employees. Takes any questions and ambiguity out of the mix.
SOLUTION CHOSEN AND WHY
THE STANDARD IN SECURE PAYMENT ACCEPTANCE
SOLUTION CHOSEN AND WHY Easily scale your tokenization strategy to protect any type of sensitive data, drastically reducing your chance of exposing sensitive data during a breach Protect Bank Account #, SSN, Driver s License #, and other Employee or Customer Data Maintain the identity of the data element and preserve the suffix of the PII data for identity matching Increase Security and Protect Your Organization Key FlexToken Features Definable token format based on system requirements Eliminates need to make customizations to any systems Token must be distinguishable from the data it represents
DESCRIPTION OF PROJECT Business meeting to review different business processes among departments PII data set confirmed for the data feeds needed Bank account, SSN, Tax ID, Driver s License, Social Insurance Number, Supplemental Social Security Number Once process identified, then determine the interfaces with third parties (banks, social security office, etc.) Data Cleansing to ensure that tokenized values had value Tokenized all historical data in interface files along with Data Warehouse and Business Warehouse PII Data Tokenized 13 million records Due to multiple phases of tokenization implementation PII project was expedited and start to finish, implementation took about 6 months
DESCRIPTION OF PROJECT Relatively short time to implement Different phases with credit card processing, redesign of customer portal and IVR Tokenization of PII data was phase II of the project Step 1: Cleanse the data Step 2: Harmonize the data First Realization: Standard token was not going to work for same field for multiple PII data types, so a flexible token format (flextoken) was developed Second Realization: Tokenization concerns around interfaces with debt collection software We were able to interface required PII data to assist in debt collection efforts while maintaining the integrity of the tokenized data within the system
LESSONS LEARNED Audit takes comfort in the fact that PII data no longer exists in our environment in it s raw form A flexible token format is required Masked data still lives in your SAP environment; tokenization is critical Make sure all groups are included in the design but also testing start to finish, looking at processes and how they are impacted Tokenized values take management effort from production copies Add a step to those processes: export data, secure file transfer, detokenized data then removed from system afterwards and stored with tokenized values Agencies were still using FULL numbers at social security administration, so develop a step to send them detokenized data in a secure way without compromising your SAP system
VALUE RECEIVED A lot of value in transferring your company s risk to a company that is fully focused on secure data- its their livelihood Limited resources to handle this critical process Data breaches in the news multiple times a day Need to focus on core business which is serving customers and not protecting this kind of data from the bad guys Cost savings of bringing credit card processing in-house and providing PII protection Flexibility given to our team and to our customers Customer satisfaction Peace of mind
WHAT S NEXT More business divisions on SAP, so volume will increase. XiIntercept for E-Commerce. XiRecon aggregates reporting from three or more separate systems into a consolidated and automated reporting tool.
Remove Systems from Your Cardholder Data Environment (CDE)
Automated Reconciliation Reporting within SAP Seamlessly consolidate your credit card settlement reporting within SAP and streamline the reconciliation process across your enterprise. View combined batch and transaction details across SAP, Paymetric and your processor. Promotes operational efficiency Gain visibility into fundamental workflow and data issues
SOLUTIONS BENEFITS Leverage the Only SAP Certified, PCI DSS Compliant, SaaS Solution with Processor-agnostic Tokenization Eliminate manual and maverick processes and unlock the full value of accepting electronic payments. With our awardwinning tokenization solution, XiSecure Ondemand, card numbers are never stored intact. Maintain compliance with the PCI DSS and federal/state data breach notification laws. Eliminate capital investment for software licenses and leverage Paymetric s SaaS subscription model. Reduce your liability for managing an on-premise payment application.
WORLD CLASS CLIENT EXPERIENCE Real People and Real Answers When You Need Them Relationship Management Team Client Services Team 24/7 Production Support Self-Service Tools Available Any Time Client Merchant Portal XiAssist - All-Inclusive Help Site
QUESTIONS