Astute Solutions: Minimizing PCI Scope While Securing Stored Sensitive Data – Case Study

Astute is an international consumer-engagement software company based out of Columbus, Ohio. It offers a suite of AIdriven software as a service (SaaS) products, such as CRM tools, a social media management application, a knowledge management application, voice chat, video and more. Astute provides these vital customer service aids to large consumer product brands around the world to streamline their customer service processes across all channels, from helping customer service agents interact smoothly with customers to providing effective self-service tools.

In the past, most of Astute’s customers didn’t need to store cardholder data in their environments and therefore weren’t subjected to PCI requirements. But as the demand for frictionless transactions and instant payments increased, it became clear that storing cardholder data (CHD) no longer was avoidable. As a result, Astute recognized the importance of finding a versatile, scope-reducing solution while working toward PCI certification for its suite of products.

“The more we looked into it, we knew we needed something that offered more flexibility and that would provide an abstraction from our core environment,” said Astute Chief Information Security Officer Chris Conner. “We were looking for a secure repository where any of our platforms could store not just cardholder data, but any sensitive data that we wanted to keep separate from our production environment.”

Astute’s search for a new PCI solution became a top priority while working with one of its larger customers. The customer, a concierge service provider, had an initial 300,000 cardholder records on file that it needed to have stored securely. In addition to storing and securing those records, Astute needed to work directly with the customer’s clients, all global card services providers, to satisfy their strict compliance requirements.

“We wanted to avoid significantly altering our SaaS-based platform, which would have been challenging, costly and time-consuming,” Conner said.

With that in mind, Astute’s ideal solution was an established, certified tokenization provider capable of operating in concert with Astute’s current environment. That solution was TokenEx’s flexible, cloud-based tokenization hosted by Armor’s scalable, secure platform.

In order to accomplish Astute’s goal of minimizing PCI scope in its production SaaS environment while still allowing its customers to store sensitive data, TokenEx implemented its iFrame into the browsers of customer service agents. This enabled TokenEx to capture, tokenize and then store PCI, completely keeping Astute’s system out of scope.

“It allowed us to offload that scope and keep it contained in one specific area ... separate from our production operation,” Conner said. “We were also impressed that TokenEx had the payment gateway capabilities as well, since in the past we’ve used that method of handling transactions to help offload scope even further. . . . That was a big selling point.”

In addition to its iFrame and vendor-agnostic transparent gateway, TokenEx’s ability to accommodate both batch migration and API calls particularly impressed Conner and his team at Astute. These features added flexible functionality to a secure, scope-reducing solution that didn’t adversely impact the daily operations or business intelligence of Astute’s customers.

“We also liked the fact that TokenEx was able to handle batch-oriented processing,” Conner said. “When we are onboarding customers, there is often data from their systems that needs to be imported. We have such a wide variety of customers with varying levels of complexity. Having the option to leverage API-based transactions in addition to batch-based data loads in the payment gateway was very appealing.”

Due to its diverse customer base, Astute is tasked with designing applications tailored to the industryspecific needs of its customers. Thus, the flexibility of TokenEx’s solution played a pivotal role in its implementation. By using TokenEx partner Armor to host the CRM pages where sensitive data was accepted, Astute significantly reduced its scope without interrupting the graphical user interface it created for its customers to retrieve sensitive data. Astute also worked closely with multiple divisions within the customer’s organization to ensure a successful implementation.

“The accessibility of TokenEx’s CTO was extremely helpful. He engaged us early in the process,” Conner said. “Also, the business development team and the account manager were great to work with. They took care of everything and made sure we had what we needed when we needed it.

“TokenEx’s responsiveness and the ease of working with the product have been fundamental to the success of this effort. These factors were extremely important to us. Had it not been so straightforward, we could have easily run into major project delays.”

To further accommodate its customer, Astute’s development team programmed logic into a simple, separate web service and interface hosted by Armor. This web service communicates with API calls to process requests and preserve the customer ID, token and card data relationships. It also includes additional logic to scrub cardholder data so it can be retained in accordance with requirements for PCI compliance.

“We pass the token on to the external web interface,” Conner said. “From that point on, the customer service agent is working completely separately from our production environment. No cardholder data is traversing our network at any time.”

The flexibility afforded by this functionality was especially valuable when it came to working with Astute’s customer, whose bank required the storage of verification values in addition to the card numbers. Capturing, tokenizing and storing CHD in a unique manner were critical aspects of the solution.

“We have what are essentially real-time transactions, as well as multiple batch processes, that are getting kicked off and hitting the same API. However, they are performing two very different business functions. The common API for both functions helped our developers, and the customer’s data team, to get up to speed and start working with TokenEx’s technology very quickly.”

Not only did TokenEx effectively meet its two main goals of security and compliance, but it also exceeded expectations with a “surprisingly straightforward” integration process and a rollout time of just a few weeks from design to development, Conner said.

“That was much faster than we had anticipated,” he said. “Within the matter of a few months, we had the entire process of PCI certification—from zero to certified—complete,” Conner said. “There’s no way we could’ve done it in that time frame otherwise.”