7650 W COURTNEY CAMPBELL CAUSEWAY, SUITE 950 TAMPA, FLORIDA 33607 ULTRAMATICS.COM 813.891-0300 FREQUENTLY ASKED QUESTIONS Questions: Business... 2 What does it take to deploy PCI-G from the standpoint of PS and effort?... 2 Functional... 2 Can PCI Guardian work with other Tokenization vendors, if so how?... 2 Can the solution integrate with LDAP for processing?... 2 Can PCI Guardian be used as Payment Gateway?... 2 How do banks access PCI-G?... 3 Can customer support agents drill down on the dashboards to get the Credit Card Info?... 3 Delivery... 3 How long does an implementation take?... 3 Deal-making... 4 What components comprise a software license for PCI-G?... 4 How much is a typical deal (software and services)?... 4 What is the typical IBM portion of the deal?... 4 Competition... 5 Doesn t PCI Guardian compete with other IBM Security Products?... 5
7650 W COURTNEY CAMPBELL CAUSEWAY, SUITE 950 TAMPA, FLORIDA 33607 ULTRAMATICS.COM 813.891-0300 BUSINESS What does it take to deploy PCI-G from the standpoint of PS and effort? While it differs depending on the customer requirements, a deployment will typically be between 3-6 months to get to production. There are packaged service offerings for PCI Guardian to help give focus to customers and the sales process. Please see the Services One Sheet supporting the offering. Factors that typically drive PS include some of the following: number of integrated applications, multi-data center approaches, required customizations vs. out-of-the-box functions, and additional security requirements. FUNCTIONAL Can PCI Guardian work with other Tokenization vendors, if so how? Yes it can. PCI Guardian has a robust stateless tokenization solution that provides all of the known capabilities that a customer may desire. This includes more than just tokenizing Credit Card information. A core tenant of the architecture is that of a Service Oriented Architecture (SOA). As such, PCI Guardian is fully flexible to use other tokenization and encryption solutions if they leverage restful or WSDL-based services. By example, it has been integrated with TokenEx. Lastly, because of the SOA nature of PCI Guardian, any external tokenization vendors can leverage PCI Guardian s error recovery capabilities as well. Can the solution integrate with LDAP for processing? Yes. Because PCI Guardian leverages DataPower, it can be configured for LDAP. Can PCI Guardian be used as Payment Gateway? PCI Guardian can call out to Payment Gateways through its secure workflow functions. For instance, the software integrates to Litle (now Vantiv) or other Payment Gateways leveraging standards-based, secure, and robust integration. By itself, PCI Guardian does not provide a
payment gateway. It seamlessly integrates to one including bring interactions into the unified auditing subsystem of the product. How do banks access PCI-G? Interactions to banks can be managed through PCI Guardian s secure workflows. This allows the software to manage who has access to what data and when. Because of its significant integration capabilities, there is a lot of flexibility in these interactions. Yet, a key principle is that all such interactions are fully managed and audited as a secure workflow capability (not ad hoc insecure PCI data retrieval). Can customer support agents drill down on the dashboards to get the Credit Card Info? Currently dashboard functions do not expose credit card numbers to the out-of-the-box dashboard on purpose: keeping sensitive data squarely in the PCI Zone. Though, such information can be shared using the secure workflow functions. As part of the deployment engagement, such requirements may be explored carefully so not to increase insecure data exposure and integrated with whatever digital surface required. Additionally, flexibility to display only portions of a credit card number (such as the last 4 digits) could be exposed instead of the entire number set. DELIVERY How long does an implementation take? A base implementation can be completed in 60-90 days in a convenient fixed-bid model. Page 3 of 5
DEAL-MAKING What components comprise a software license for PCI-G? 1. Gateway secure-zone protected set of integration services. This is the IBM XI52. This is a mandatory new license component for PCI-G. 2. Recovery secure-zone protected recovery service for transaction failures. This is the IBM XC10 technology or other compatible technologies. This is a mandatory new license component for PCI-G. 3. Tokenenization data tokenization capabilities as part of the secure-zone architecture. This is the Voltage Tokenization Server or other compatible technologies. This is a mandatory new license component for PCI-G. 4. Workflows secure workflows supporting security patterns. This is an Ultramatics component of PCI-G. This is a mandatory new license component for PCI-G. 5. PMC PCI-G Management Console for reports, dashboards, and admin functions. This is a mandatory new license component for PCI-G. 6. Messaging Messaging queuing services for secure-architected interactions amongst PCI-G components. This is a mandatory new or bring-your-own-license component for PCI-G. 7. Database Database persistence for the PMC. This is a mandatory new or bring-yourown-license component for PCI-G. How much is a typical deal (software and services)? The typical deal is $750-900K, including all software (IBM, Voltage, and Ultramatics) and services (Ultramatics). What is the typical IBM portion of the deal? IBM DataPower typically makes up $250-400K of the package. Keep in mind that this solution must run on dedicated DataPower appliances, so these are new sales. Page 4 of 5
COMPETITION Doesn t PCI Guardian compete with other IBM Security Products? PCI Guardian is complimentary to IBM s portfolio of security capabilities. PCI Guardian capabilities are tailored for transactional application messages and data privacy. The use cases feature an appliance-centric approach, an error handling subsystem, administration and webbased auditing capability, and more. These capabilities in whole are not found in the IBM portfolio. The value-added software of PCI Guardian brings it together. There are future roadmap possibilities that even further bring customer value. For instance, IBM Guardium s data masking capabilities may be an option for some use cases instead of tokenization. Additionally, PCI Guardian may be able to correlate real-time information together with the proactive network alerting together with QRadar s threat detection rules. Built on an SOA platform with clear interfaces to subsystem components for exception management and eventing, PCI Guardian can smoothly interoperate with additional technologies. These include additional IBM products, as required. For feedback on this document including updated field intelligence or new questions, please contact marketing@ultramatics.com. Page 5 of 5