"Our customers' personal data is protected, and we are protected from the potentially high costs of compromised data."

Download in PDF »

Secure, compliant encryption
Beginning as a small book store in 1873, the Follett Corporation has grown to become one of the cornerstones of the educational system within the United States. The Follett Higher Education Group (FHEG) sells more than 20 million textbooks annually in stores and online, and it operates more than 700 campus book stores for colleges and universities. For every transaction the company protects its customers’ personal data from breaches while easily and cost-effectively complying with the Payment Card Industry Data Security Standard (PCI DSS).

Since it began operating stores and taking credit cards, FHEG has taken protecting its customers’ privacy seriously. To protect customer data the company has a longstanding practice of encrypting customer payment data. Encrypting data and subsequently decrypting data required following and documenting a time-consuming manual encryption key management and storage procedure, as required by PCI DSS 3.6.3. FHEG also needed to rotate encryption keys (replacing old keys with new ones, as required by PCI DSS requirement 3.6.4) at least once a year, which it did manually. FHEG found that its key management process was becoming too inefficient and labourintensive. The company decided to transition to using hardware security modules (HSMs) from Thales’s nCipher product line instead of manually tracking encryption keys.

“Thales HSMs provide a secure environment for managing and storing the encryption keys that protect customer data,” says Terry Mainiero, FHEG’s director of store systems. “We wanted to use Thales HSMs as the basis for an efficient, cost-effective, and PCI DSS compliant key management process.”

Secure and flexible key management frees IT resources
After deciding to implement an HSM, FHEG evaluated a number of the options on the market. The company found that while all HSMs provide security, Thales HSMs also delivered ease of use and flexibility. Irwin Gafen, director of wholesale and distribution systems at FHEG, explains, “Thales helped us to understand our choices for encryption, and to deploy a simple, secure, and compliant solution to replace our manual key management processes.”

“We needed an HSM that was flexible enough to fit into our environment without disruption while making our key management more automated,” says Mr. Mainiero. “Thales met our needs perfectly. Our Thales HSMs protect our encryption keys, safeguarding customer data from breaches. Just as importantly, it helped make achieving PCI DSS compliance far easier and more cost-effective.”

Enhanced key management
With Thales HSMs, FHEG has replaced inefficient manual processes with a largely automated key storage and generation process. The Thales HSM is deployed in a server that safely distributes encryption keys to the company’s e-commerce and point of sale systems. When the company rotates existing encryption keys, as required under PCI DSS, the process takes a fraction of the time it took with manual processes. That’s because the process is now largely automated, making PCI DSS audit reviews easier and more efficient.

“Rotating to new encryption keys is very fast. So if the PCI DSS were to require more frequent key changes, it wouldn’t be a problem for us.” notes Mr Mainiero

The encryption experts
To implement its new PCI DSS compliant key management solution, FHEG turned to Thales Professional Services. The team began by working with the company to understand their current processes and environment. They also reviewed the company’s security procedures, policies, and systems. The team then developed an implementation plan that fully supported FHEG’s needs and continued PCI DSS compliance.

“It was a pleasure to work with Thales Professional Services,” says Mr. Gafen. “They took the time to listen to our needs and understand our systems and processes. They designed and implemented an effective solution. The whole project was ontime, on-budget, and bug-free.”

Mr. Gafen adds, “Encryption is highly complex, and getting it right requires expertise. Thales Professional Services has that expertise and makes very practical recommendations. They brought specialist knowledge to the project, which allowed our team to stay focused on our business needs.”

Protecting customers and the business
With effective encryption and key management FHEG is confident that its customers’ personal data is secure. This not only protects customers, it also protects the company from the bad publicity and costs that can result if credit card data is compromised.

“With Thales, no one can access our encryption keys,” says Mr. Gafen. “Our keys are safe from internal and external tampering, safeguarding our encrypted data against theft or manipulation. Our customers’ personal data is protected, and we are protected from the potentially high costs of compromised data.”