As part of our look at Application Decommissioning in Financial Services, we’re now going to turn our attention to the highly regulated world of credit card processing.
Keeping Up with Data Retention and Compliance Policies
Along with Dodd-Frank and other financial regulations, credit card processors are subject to strict PCI (Payment Card Industry) privacy and security standards aimed at protecting consumers. Requirement 3 of the PCI Data Security Standard (DSS) states that cardholder data storage and retention time must be kept to the minimum necessary to meet specific business, legal and regulatory needs—and not any longer than that. This must be determined precisely and backed up by rigorous data retention and disposal policies. In addition to other potential penalties, failing to comply with these requirements can result in fines of up to $100,000 per month. And these rules must be applied in conjunction with a slew of other related federal, state and international laws.
When all these factors are taken into account, data retention and disposal policies can become extremely complex. In fact, one of our customers—a multinational financial services corporation—has over 5,000 specific data retention rules dealing with credit card data from its worldwide markets. Yes, not 50 or 500, but over 5,000! That would be enough to pose a challenge for any standard database or records management system—not to mention that such systems typically aren’t equipped to handle the equally sophisticated data security requirements.
More than that, the data in question doesn’t just need to be archived and retained. As in the Banking industry, it also must remain readily accessible when needed for a variety of ongoing business and regulatory purposes. Not having the data needed to support an audit can be just as costly as violations for having kept the data too long. Compliance is thus extremely tricky, calling for a difficult and precise balancing act.
Again, what we’re seeing is data that’s no longer needed for production but that must be retained—subject to strict privacy, security and retention rules—and which must still be accessible whenever it’s needed. Sounds a lot like our other Application Decommissioning examples, doesn’t it? In this case, however, there were actually no applications that had to be decommissioned. Instead, the data is being archived from a variety of active source applications that will continue to remain in place.
How Active Archiving Can Help
So here we come upon a different twist to the power of InfoArchive. While it’s a great vehicle to help retire legacy applications, InfoArchive is just as applicable to complex active archiving in general. The term “active archiving” refers to InfoArchive’s ability to securely archive and retain data without losing the real-time ability to query and report on it. Standard archiving uses tiered storage approaches that make recent data more accessible but older data harder to find. That doesn’t cut it when it’s unclear exactly which data is going to be needed for a particular purpose. Nor can traditional archiving handle the complexity of the compliance requirements—especially in this industry where those rules are about as complex as they get.
For our customer, InfoArchive was the perfect solution. Using InfoArchive’s active archiving capabilities and leveraging Dell EMC’s Isilon storage, we were able to build a fully SEC-compliant central repository that enforces more than 5,000 data retention and disposal policies while providing rich real-time search and reporting.
Starting with two pilot applications, around 200 MB of credit card data is now being captured every day—a number that will grow significantly as more and more source applications are added. Just as with our Application Decommissioning solutions, the initial project was completed quickly—in about 6 months—and is already producing results while the next wave of additional source applications are being identified.
Reducing Compliance Risk and Financial Exposure
In this case, because the source applications remain in place, we don’t expect to see the same kinds of dramatic cost savings experienced with Application Decommissioning. However, this solution has significantly reduced our customer’s compliance risk—and financial exposure—in a very difficult regulatory environment. Past experience with failed audits gives this solution tremendous business value in the eyes of senior management.
Here we’ve seen an interesting example of how InfoArchive can handle complex archiving and compliance requirements—whether the source applications are retired or left in place. The business case is different, of course, but the solution very much the same. Now, in our next blog, we’ll go back to more examples of the power of Application Decommissioning itself—this time from the Energy industry.