Chase Paymentech: Automating email encryption in financial services

Summary

Chase Paymentech, the world's leading provider of electronic payment processing, wanted to implement a comprehensive solution that could secure a high volume of daily messages to customers and partners. The company didn't want to rely on users to sign and encrypt every email and needed to ensure corporate security policies could be centrally managed with an enterprise-class solution that featured two-way, policy-based enforcement.

PGP Solutions

• PGP Universal™ Gateway Email
• PGP® Desktop Email (with PGP® Virtual Disk)

Customer Profile

• End-to-end payment processing for credit, debit, fleet, & stored-value cards plus electronic checks & recurring payments
• Web-based reporting & transaction processing; foreign payment processing in 14 currencies
• Headquarters in Dallas, Texas
• Privately held company resulting from the 2005 merger of the former Paymentech & Chase Merchant Services
• Combined entity reported 15.5 billion transactions in 2005, representing $560 billion in annual bankcard/debit volume in the U.S. & Canada

Key Issues

• To secure reporting and loan application data sent via email from customers & third-party resellers
• To secure settlement information submitted by merchant partners & communications with benefits providers
• To enable customers to secure messages automatically without implementing & managing a desktop solution

PGP Advantages

• Transparent encryption that eliminates the need for user training or reliance on user behavior
• Encryption solutions that have broad acceptance and a proven history
• A highly flexible solution that provides universal messaging security that can be deployed by domain

Background

As the world's leading provider of electronic payment processing, Chase Paymentech provides end-to-end services for a wide range of traditional retailers as well as catalog, recurring payments, and online merchants. Its customers include the majority of the top 25 Internet retailers plus nearly all the top 10 Internet Service Providers (ISPs).

The company deals with a very large volume of messages on a daily basis, many of which contain confidential information such as credit card numbers. It had already created a best practice that dictated the need to secure any confidential or customer information in electronic communications with encryption.

Chase Paymentech's Directors of Security, Desktop Services, and IT are pioneering the adoption of secure messaging throughout the extended enterprise. "Our employees found going through the process of manually encrypting and decrypting each message cumbersome and unmanageable," says Director of Security Chris Cross. "We couldn't make people use the existing solution even though we had a policy in place. And because it was a desktop-based product, we had no way to enforce that policy internally, much less with external partners."

Solutions Considered

Chase Paymentech had several groups with high security requirements that were driving the need for email encryption. "Our Strategic Relationship group needed to sign binding contracts that stated they must accept applications electronically that were encrypted," explains Rex Nance, director of desktop services. Although the group was using the installed email encryption solution, it was still up to each employee's discretion which messages were encrypted. "Clearly, what we had wasn't a true, universal, corporate security solution," Nance adds.

Another IT problem involved users managing their own keys. "Employees often lost their passwords or left the company, which made accessing their data a critical issue," says Nance. "We needed a way to move responsibility for encryption and management of the process off the desktop."

At one point, Chase Paymentech considered writing an in-house secure-messaging application. However, the company soon decided that the "build-versus-buy" approach was not appealing due to available resources, time frame, and other requirements.

In addition, although Chase Paymentech's internal email environment was based on Outlook and Exchange, its partners used a variety of email systems, including Lotus Notes. "From an IT perspective, we needed a solution that offered broad interoperability, required minimal user training, and provided centralized administration," says Nance.

Why PGP Universal?

Although many of its partners do not use or require secure messaging, the company has developed its own security policies regarding the exchange of emails containing proprietary or customer information. "We won't accept electronic forms containing confidential information unless they're encrypted," Cross explains.

In the past, Chase Paymentech had no way to enforce security policy compliance by its partners or vendors. And because of management, technical, and installation limitations, some customers found desktop-based solutions too complex and time-consuming. "Now, they can use PGP Universal™ Satellite or PGP Universal™ Web Messenger to access reports quickly and easily without any extra steps," says Cross.

PGP Competitive Advantages

Cross knew PGP® security solutions had a proven history of use by some of the world's leading businesses, government agencies, and cryptographers. "We didn't really consider anything else," he says. "PGP Universal Gateway Email offered the two-way, policy-based enforcement and centralized management we needed-plus the transparency our users required."

Deployment Plans

The first phase of deployment will focus on the Security, Infrastructure, and Strategic Partner groups. "Our Strategic Partner group has some relationships that need to be fully automated," explains Cross.

The company also selected PGP Desktop Email, which complements PGP Universal Gateway Email's network security by protecting information stored on local desktop and laptop disks. The PGP Virtual Disk feature of PGP Desktop Email transparently creates volumes whose contents are encrypted when not in use, preventing unauthorized access.

The second phase of deployment will make PGP Universal Gateway Email available to Chase Paymentech's third-party resellers. "We've had a lot of inquiries about secure messaging from our partners as well as from other internal groups that want to send encrypted data," Cross says. "We also have a new workflow application under development. That project includes a lot of automated communications, so PGP Universal will play a key role there and should fit in very nicely."