With an 80 percent market share, Cardnet is the Dominican Republic’s premier clearinghouse for credit card purchasing transactions. Whenever credit cards are used to make payment or when banks pay one another using credit — 41 million times per year and growing — it is Cardnet that makes sure the transactions are processed correctly. The company counts most of the major companies in the Dominican Republic as customers as well as every one of its banks. Cardnet also manages all ATM transactions in the country — 60 million transactions in 2008.
Rampant virus attacks threaten to cripple Cardnet’s network
Despite its importance in the region’s financial community, Cardnet is a relatively small company with only 340 employees. It maintains lean operations, including a staff of just three people in IT security. Over the years, email viruses have become a major problem for the company and a significant burden for the small IT staff. Viruses not only consumed IT’s precious time, but also caused the network to be down as much as two-thirds of the time. Every virus outbreak took days to resolve. In addition, with all the credit card numbers in its files, Cardnet found that complying with PCI DSS regulations was becoming an evermore substantial and time-consuming task for IT.
Cardnet knew it needed help from the security software industry, and began researching security solutions. McAfee quickly rose to the top of the list. “One of McAfee’s great appeals to us is that IT infrastructure security is its entire business,” explains Francisco Valdes, chief security officer for Cardnet. “Unlike all the other major players in the field, McAfee is undistracted by other lines of business, and pours all its resources into making companies like Cardnet safe from cyberattacks.”
Valdes and his staff knew that solving the rampant virus problem was only the beginning of the measures that Cardnet needed to take. The firm also needed to learn where its network vulnerabilities lay and institute protective measures both at the perimeter and internally. It also needed to protect its data and secure its infrastructure against unauthorized user behavior that could cause breaches in security. “The more we looked into McAfee, the more we realized that its solutions interlock to cover the gamut of the security needs of a company like ours end-to-end,” says Valdes.
Cardnet’s executives were keenly aware of the company’s security challenges. Before making a commitment to McAfee, however, they needed to understand in detail how an investment in security software would positively impact everyday business. McAfee representatives visited Cardnet, conducted in-depth research into the true cost to the company of its security vulnerabilities, and presented findings to the firm’s senior management. “The McAfee experts were the first to speak our language,” reports Valdes. “They illustrated the true cost of downtime and translated our risks into monetary value. They clearly explained how much we would be losing, every minute and every hour, until and unless we put the right technologies in place to understand what was going on in our network and ward off trouble.”
Infections completely stop
Once Cardnet’s executives understood the true costs and risks that network vulnerabilities represented, they authorized Valdes and his team to proceed building a McAfee-based arsenal. Since virus protection was the most urgent problem, Cardnet began with the applications that now comprise McAfee Total Protection (ToPS) for Endpoint Advanced: McAfee VirusScan Enterprise, McAfee Anti-spyware Enterprise, McAfee Host Intrusion Prevention, and the centralized management product that unites them all, McAfee ePolicy Orchestrator (ePO). Cardnet installed McAfee Vulnerability Manager at about the same time so that it could not only identify and neutralize malware, but also indicate where it was coming from.
These solutions had a profound and immediate effect on the problems Cardnet had been experiencing. “Our incidence of viruses and other kinds of malware dropped to zero,” Valdes reports. “In fact, in the nearly five years we have had McAfee software in place, we have had no infections of any kind in the network that we are aware of. Viruses changed from a plague that threatened to take our network off the air to absolutely no problem at all.”
"In the nearly five years we have had McAfee software in place, we have had no infections of any kind in the network that we are aware of. Viruses changed from a plague that threatened to take our network off the air to absolutely no problem at all."Francisco Valdes
Chief Security Officer, Cardnet
PCI DSS compliance is simplified
McAfee Host Intrusion Prevention has proven to be an exceptionally valuable and versatile tool in Cardnet’s armaments, playing a major role in simplifying the firm’s PCI DSS compliance processes. In the past, the IT security staff was strained by testing and verifying the entire network in the single month that was allowed for the compliance process. Now Cardnet uses McAfee Host Intrusion Prevention to segment its network into manageable pieces for much more relaxed compliance checking.
Cardnet follows a master plan by adding new protection measures annually
The initial implementation of McAfee solutions was so successful that Cardnet drafted a master plan for providing complete protection over the course of several years, using additional McAfee products every step of the way. Next in line was data protection, for which Cardnet deployed the McAfee Total Protection (ToPS) for Data suite including McAfee Endpoint Encryption, McAfee Device Control, and McAfee Host Data Loss Protection (Host DLP). These products secure the entire network with the sole exception of McAfee Endpoint Encryption, whose deployment is based on user roles, since not every user has access to data in need of protection.
Once data protection was in place and working well, Valdes and his staff proceeded with the next steps in the security plan. They added two McAfee Network Security Platform appliances, one each for protecting the perimeter (model 2700) and for internal operations (model 3050). Next came the implementation of McAfee Email Gateway and McAfee Email and Web Security appliances for web filtering. Cardnet uses these applications to scan for malware and spam in both incoming email and from the web. These solutions also assure Valdes that all outgoing emails containing sensitive information are encrypted.
With the network and systems under control, Cardnet addresses the user
In addition to securing its network and systems, Cardnet also had to address the behavior of its end users, who too often unknowingly leak sensitive, classified information. Cardnet is taking a two-pronged approach to the problem: education to improve user understanding of the importance of data security, and deployment of McAfee tools to effect better controls and put them in place faster. Even though McAfee Host DLP shows when and where leakage of sensitive information is occurring, Cardnet would like to better understand where and how users are obtaining this information, where it flows, and whether it gets to its intended destination. The company wants to implement more flexible policies that still allow management to have sufficient control. For help, the firm most recently installed McAfee Network User Behavioral Analysis. “We’re just getting started, but it’s already clear that we have a very powerful new tool,” notes Valdes.
Cardnet is also testing McAfee Network Access Control, with a production deployment in the plan for next year. Likewise the firm is in the process of implementing Artemis Technology on top of McAfee VirusScan Enterprise to provide an extra layer of always-on protection against viruses.
Centralized management keeps the IT security staff small
“I can now say that we have installed and deployed almost every product that McAfee makes, and as a result we have protection in virtually every corner of our network,” says Valdes. “The only reason we are able to manage so many applications with such a small staff is that ePO centralizes the management of all of them on a single console. It also greatly eases the deployment of new solutions by allowing us to implement every change without impacting the business or changing the user environment. Without ePO, we would be spending our entire lives in the lab.” To stay current with ePO technology, Cardnet is evaluating ePO 4.5 and plans to go into production with it shortly.
"Without McAfee, we would need a staff of 20 or more and I would still be worried. McAfee gives me the confidence to sleep at night."Francisco Valdes
Chief Security Officer, Cardnet
Another reason the three-person staff is able to accomplish so much is the strong support it receives from McAfee’s Professional Services organization. “They always get the job done,” says Valdes.
Competitive advantage adds to fast investment recovery
“We are recouping our McAfee investment quickly,” says Valdes. “McAfee solutions are a vital part of our business and help us with every change we make. Each year we spend less, get more, and find it easier to ensure the protection our network needs. We are protecting the business while making our processes more efficient, and we can now be proactive instead of reactive in instituting protection. Without McAfee, we would need a staff of 20 or more and I would still be worried. McAfee gives me the confidence to sleep at night.”
Because of its excellent record over the last five years in warding off infections, Cardnet frequently meets with other companies who are seeking similar results — and the company invariably recommends McAfee. Many of the companies are Cardnet’s own customers, for whom McAfee provides a discount to join its user community. “The availability of McAfee’s discount is one more motivation for customers to choose Cardnet for their transaction processing needs,” concludes Valdes. “Companies always want to be more secure — and save money while doing it. The fact that we can help them achieve both objectives at the same time with McAfee represents a clear competitive advantage for us — yet another reason we are extremely pleased with our decision to go with McAfee.”