Headquartered in Alpharetta, Georgia, Paymetric is the leading provider of integrated and secure enterprise payment acceptance solutions. Paymetric enables organizations to integrate multiple types of electronic payments into enterprise systems like enterprise resource planning (ERP) systems, CRM, Web stores, call centers and POS. Paymetric lowers the cost of processing electronic payments and it reduces the scope of PCI compliance by “tokenizing” payment account numbers.

Data security is an essential business requirement for Paymetric. As a payment processor, many enterprises rely on Paymetric to secure their credit card transactions. The company, therefore, goes to great lengths to protect the privacy and integrity of its customers’ sensitive data. Paymetric incorporates secure application coding best practices into its software development processes to bolster application security. It also engaged Cenzic, an application vulnerability assessment provider, to test its Web applications for vulnerabilities.

PCI Compliance and Real-Time Threat Mitigation

Genady Vishnevetsky, the Director of Security at Paymetric, was satisfied with Cenzic’s assessment services. Cenzic provided comprehensive penetration tests with very few false positives. However, Genady worried that if the Cenzic scans discovered critical vulnerabilities in Paymetric’s Web applications, mitigation efforts would impact application development schedules. Manual fix processes would either expose Web applications to attack or require applications to be taken offline while fixes were implemented. Neither alternative was acceptable for Paymetric. Therefore, the company needed a real-time security solution to prevent lengthy and disruptive fix cycles.

In addition, PCI compliance was a key business requirement for Paymetric. According to PCI requirement 6.6, Paymetric either needed to install a Web Application Firewall or perform application reviews annually and after all application changes. Genady thought that a Web Application Firewall (WAF) could streamline Paymetric’s PCI compliance processes. And used in conjunction with the Cenzic assessment service, a WAF would deliver a multi-layered defense, an approach recommended by the PCI Security Standards Council.

Technology Requirements

To address these security and PCI compliance requirements, Genady and his security team began researching WAF solutions. Based on their internal analysis, the IT security team developed the following WAF product criteria:

  • Accurate, real-time protection – The WAF needed to block and alert in real-time with an extremely low rate of false positives.
  • Non-intrusive deployment – The WAF should not impact existing applications. Because Paymetric had a fully redundant network architecture, the WAF should not introduce a single point of failure.
  • In-house development – Paymetric felt that a vendor focused on application security would offer better product innovation and customer support than a vendor that had acquired WAF technology.
  • Integration with vulnerability assessment tools – Since Paymetric relied on Cenzic for application assessments, the WAF should virtually patch vulnerabilities found by Cenzic.
  • High performance within budget constraints – The total cost of purchasing, installing and managing the WAF needed to be within Paymetric’s budget. After examining product information and reading technical reviews and analyst reports, Paymetric developed a shortlist with Imperva and one other WAF vendor. Imperva quickly set itself apart because of its advanced security features and flexible deployment options.

Easy Rollout, Automated Attack Protection

According to Genady, Imperva SecureSphere was “very intuitive” and easy to set up. An Imperva Sales Engineer helped the security team install SecureSphere and “hand held them through the initial configuration.” Within three hours of opening the Imperva shipping box, Paymetric had deployed SecureSphere and protected the company’s flagship Web application against known Web attacks, known malicious sources, and protocol violations. Within several days, SecureSphere’s Dynamic Profiling had automatically learned Paymetric’s Web application and expected usage, thereby protecting the organization against application-specific Web attacks. Because SecureSphere offered transparent deployment, the security team was able to provision SecureSphere without changing network or DNS settings or rewriting applications.

Paymetric’s security team was also concerned about botnets and automated threats. Imperva’s unique ThreatRadar service was able to detect requests to Paymetric’s Web application from known attack sources, such as malicious IPs, anonymous proxies, TOR networks, and phishing URLs. In fact, ThreatRadar provided immediate benefits; within minutes of installing SecureSphere, Paymetric’s security team started seeing Web attacks from malicious IPs and anonymous proxies. SecureSphere offered advanced protection against these known bad sources, but it also provided Paymetric unmatched visibility into real attack sources, methods, and targeted URLs.

Integration into Paymetric’s Software Development Lifecycle

Paymetric has incorporated the SecureSphere Web Application Firewall into its software development processes. The company virtually patches vulnerabilities with SecureSphere. Cenzic assessment results are imported into SecureSphere. Then SecureSphere instantly creates rules to patch discovered vulnerabilities. While the rest of the Web application is still protected against application attacks, SecureSphere can enforce stricter policies for known vulnerable elements.

In addition, SecureSphere has helped Paymetric’s application development team. They can review information about Web attacks, Web server response codes, and application errors. According to Genady, “SecureSphere has made our software development processes more robust. Application developers use SecureSphere’s reports to improve input validation and error handling.” Imperva SecureSphere was the ideal choice for Paymetric because it streamlined PCI compliance efforts, provided real-time protection against attacks, and improved the underlying security of Paymetric’s Web applications.