TIS is a system integrator that has more than 40 years of history. It boasts rich knowhow concerning credit card and payment system and has advanced technical capabilities, and it took the decision to expand the CardSpring cloud service of the American company CardSpring as a new service that leverages these strengths.
CardSpring is a CLO (Card Linked Offer) service that is provided via Paas (Platform as a Service). It enables digital coupons and credit card usage information to be linked and incentives (points, discount, etc.) to be provided to card users. CLO is gaining an increasing amount of attention as it offers the convenience of not requiring user to print coupons out as they normally would, and TIS is promoting collaboration and linking between payment processors and media vendors in order to provide a service that can be used at any store and with any card. Furthermore, the service allows member stores to track the attributes of coupon users (new/regular user/number of visits, etc.), and enables the users eligible to receive coupons to be narrowed down, as well as an accurate understanding of the effect of coupons to be gained.
CardSpring is an extremely effective platform from which member stores can refine and optimise measures to attract new customers, but there is much card information that is handled by the infrastructure so watertight security is demanded. In addition, the CardSpring service is implemented in connection with CardSpring in the USA, and when the service was rolled out in Japan the CardSpring Japan infrastructure had to meet the requirements of CardSpring USA. This meant compliance with PCI DSS(*1). As Daisuke Yoshikawa of TIS’s Advanced Solutions Department, which is in charge of the CardSpring business, recalls “That meant as long as we didn’t have PCI DSS certification we couldn’t launch CardSpring in Japan.” The only way of completing this important task was by using Trend Micro Deep Security™.
When making CardSpring’s Japan infrastructure compliant with PCI DSS, Mr. Yoshikawa asked for the full cooperation of TIS’s IT Infrastructure Service Department. This department is involved in the design, construction, and operation of IT infrastructure, and provides PCI DSS certification consulting services both internally and externally. One of the security solutions selected by this department, in accordance with the demands placed upon it to achieve PCI DSS compliance with minimal cost and effort, was Deep Security. All of the critical servers in CardSpring’s infrastructure in Japan now have a Deep Security agent built in, and security measures have been comprehensively implemented to meet PCI DSS requirements. These measures include anti-virus software, change monitoring (prevention of tampering with important files), and virtual patch application (measures against vulnerabilities through IPS/IDS functions).
Teppei Eguchi of the IT Infrastructure Service Department explains the benefits of Deep Security as a PCI DSS solution as follows.
“Normally, when you try to implement measures like anti-tampering and anti-virus measures for reasons such as PCI DSS compliance, you need a different tool for each measure, so not only does the burden of implementation and operation increase but you also have setup a control server for each tool. In contrast, by using Deep Security, you can cover multiple PCI DSS requirements and can control and run multiple countermeasures from a single control server. As such, the burden of implementation and operation is small, and you don’t need to use multiple IT solutions in order to ensure security.”
The CardSpring infrastructure in Japan is deployed in a data centre managed and operated by TIS, and the whole network is protected by elements including firewall appliances and IPS appliances. In this configuration, TIS utilises the IPS functions of Deep Security, the reasons for which are explained below by Masaru Miyazaki of the IT Infrastructure Service Department.
"Deep Security combines a wide variety of functions into a single product, and many security requirements can be met using only one control server. As such, implementation and operational load can be kept to a minimum, and server resources can be used effectively. This is an advantage worthy of special note."
“For example, if you use the Deep Security’s host IPS functions, you are able to detect attacks that are usually difficult to detect with IPS appliances on a network, such as communication encrypted with SSL, and deal with them. In other words, we use Deep Security to compensate for the gaps present when using appliances alone, and raise the overall level of security.”
With the implementation and utilisation of Deep Security, TIS made the CardSpring infrastructure PCI DSS compliant (acquired PCI DSS certification) in around six months. TIS put the infrastructure into operation on December 1st 20 1 4. In light of this result, Mr. Yoshikawa explains the advantages of the implementation as follows.
“For us, the acquisition of PCI DSS certification was an extremely large task. The thing that allowed us to achieve this without any holdups was because we managed to cover many PCI DSS requirements with Deep Security.”
Mr. Yoshikawa also highly rates the ease of Deep Security operation.
“CardSpring has a lot of information that has to be managed, and much time is taken up by overall operation, and so in light of this, the fact that you can manage file tampering measures, anti-virus measures, and other measures from a single screen is very significant. In terms of security patch application to deal with vulnerabilities as well, in our operating style we automatically detect vulnerabilities on a server with the “Recommended Scan” provided by Deep Security and apply virtual patches. This kind of efficiency is very helpful.”
According to Mr.Yoshikawa, plans are afoot at TIS to expand and enhance the payment service, and there is a high potential that the use of Deep Security will increase even further. Furthermore, Mr. Miyazaki and Mr.Eguchi want to make Deep Security one of their configuration options for PCI DSS for customers, and Mr. Miyazaki is considering the use of Deep Security to deal with operating system obsolescence, such as when support for Windows Server 2003 ends.
"In order to perform the considerable task of acquiring PCI DSS certification, Deep Security, with its support for multiple PCI DSS requirements, was extremely useful. This product really helped us to achieve our goal!"
Deep Security enabled the CardSpring infrastructure to achieve PCI DSS compliance in a short period of time at a lost cost, and the scope of utilisation of this software is steadily increasing at TIS.