Case study - Quipu Processing

Quipu Processing uses GFI EventsManager to address the requirements of PCI DSS.

Quipu Processing partners banks and other services providers that are planning to build up a payment card business from scratch. As a company that works directly with companies handling, processing or storing cardholder data, Quipu are obliged to fulfill the network security requirements imposed by the Payment Card Industry Data Security Standard (PCI DSS). To meet these strict requirements, the company needed a solution to help them automate certain processes related to the logging of events and activity on their network. Quipu Processing selected GFI EventsManager, an event log management solution from GFI Software.

Challenges

The strict requirements imposed by the PCI DSS have put pressure on many companies to get their act together and ensure that their systems are secure and that cardholder data that they (or their clients) may handle is well protected from hackers and other identity thieves. Quipu Processing's main customers are members of the ProCredit group, an expanding network of banks dedicated to serving micro, small and medium-sized enterprises and low-income households. There are 20 ProCredit Banks operating successfully in as many different countries in Africa, Latin America and Eastern Europe and the vast majority are running the banking software developed by Quipu.

Quipu also run a number of regional offices and their growing customer base requires their account-holders to be able to use their cards at any time of day, every day of the year and not only on their terminals but also on those operated by other banks.

With credit card fraud on the rise, professional companies like Quipu Processing cannot afford to let their guard down and risk data disclosure to third parties. Conscious of the risks and aware of the consequences, Quipu's IT department required a solution that helped them to monitor activity on their network and produce the necessary reports that are required by auditors to confirm that Quipu is compliant with the PCI standard.

"As a card-processing company we have been fully aware of the PCI DSS requirements and the need to maintain compliancy with these standards. And this is something that we have been working very hard on for many months," Mark-Oliver Horst, chief technical officer at Quipu GmbH explained.

"We had two main technology/compliance issues facing our company - data encryption and key management on one hand, and event monitoring, filtering and notification on the other," Mr. Horst added.

"The collection and analysis of event logs network wide can prove to be a major headache for administrators who have to manage multiple servers, often in different locations within the same building or in different geographical locations. It is physically impossible to monitor each server individually and with thousands of events occurring every day it is extremely difficult to sift through and analyze all of them for events that really matter to the administrator - irrespective of whether the data is required for normal administrative purposes or to meet strict compliance requirements. This is the major challenge that was facing Quipu over the past six months.

Implementation

Quipu, therefore, required a solution that not only fulfilled part of the requirements for PCI compliance but one that was easy to install and that provided administrators with the ability to access, analyse and archive from a single console the thousands of events that occurred on the network every day and that categorized events by severity and alerted administrators on critical events.

In January 2007, after examining what solutions were available on the market, Quipu decided to go for GFI EventsManager, an event log management solution, to help it achieve these targets.

"We needed a solution to help with PCI Audit compliancy and found GFI EventsManager to have a good price performance ratio and one that met our event log management needs. We have been using the product for six months now and from a compliance perspective - particularly with regard to PCI DSS - we are currently getting closer to compliancy with the help of GFI's team. From a technology perspective, we are satisfied with the product. I believe the product could become even more complete if it also collected Oracle and Microsoft SQL audit log information," Mr. Horst said.

Benefits

Apart from using GFI EventsManager for PCI DSS compliancy issues, Mr. Horst said the product had also turned out to be a nice add-on to Quipu's existing network monitoring solution, IPswitch WhatsUp.

Mr. Horst also expects GFI EventsManager to help Quipu save time spent on administration as use of the product is fine-tuned to suit the company's needs, although numerous benefits were realized soon after installation and a few tweaks to the software.

Target reached

"I would say the greatest benefit we've had using GFI EventsManager is that it has helped Quipu to solve PCI DSS compliance issues."

Links

For more information about GFI EventsManager visit our product discovery page.

Download version of the software here

Disclaimer: All product and company names herein may be trademarks of their respective owners. To the best of our knowledge, all details were correct at the time of publishing; this information is subject to change without notice.