There have been a lot of changes in 22 years. When I joined TSYS we were using black & white cameras. When color came into the picture it allowed for a whole new level of detail. New information to use for discovering whom and what was caught on camera. Now we are in a similar transition, a time where big data is uncovering usable information that can allow us to be more effective at maintaining a safe, secure and code compliant environment. This case study will showcase how TSYS has managed to innovate over time. Not just one major project or redesign, but researching, testing and implementing new technology to improve detection, response, and analysis.
Let’s begin with a review of TSYS and their business model. This is always the first step to creating or measuring the efficacy of a security program. Total System Services (commonly referred to as TSYS) is a United States credit card processor, merchant acquirer, and bank credit card issuer. TSYS provides payment processing, merchant, and related payment services to financial and nonfinancial institutions in the United States, Europe, Canada, Mexico, and internationally.
The key takeaways from our company description are our risk profile. As a credit card processor, we are held to a strict standard around PCI compliance. We undergo approximately 60 audits per year. And these audits aren’t easy. They are conducted by both our clients (major card issuers) and Federal Examiners. We supplement external audits with internal audits also. This has become increasingly more critical in the industry over the past several years as regulations have become more and more stringent.
Our footprint is international, with varying security threat levels seen at each location. Our biggest challenge is our high secure areas: card production facilities and data centers. We utilize turnstiles/revolvers, anti-tailgating, and anti-passback. The layered approach is what makes our security program effective. On the video side, we require 90 days of video storage, which is driving our servers into some pretty significant sized hard drives.
This year we migrated from a Software House CCURE 800 system to a CCURE 9000 system. This has been no easy task, but there are a few things that have contributed to our success. To start, we’ve been growing by acquisition for quite some time. As these acquisitions have, and continue to, take place we convert the new locations to the security platform. As you can imagine, getting the buy-in and cooperation from the new local security management can be a challenge. However, when we are able to articulate the purpose, the strict requirements we have to adhere to and the risk any non-conformity can bring to the enterprise, we are able to find some common ground and focus on the task at hand.
Our GSRC (Global Security Resource Center) is the heart of our security program. We have a 47-member team in our corporate security department, including operations/technology, badging/administration, programmers, and installers. Beyond the GSRC we have forged key partnerships with our integrators outside of our headquarters and across the globe. Managing these relationships is so important to our overall success. Ensuring that you have a strong alignment between your organizational priorities and security department deliverables with the integrator’s business model is the only to you will have consistency in delivery and performance.
Tech Systems, Inc. headquartered in Buford, GA, is an integrator partner who has built resources around our operation and prioritized our needs to help make us successful. The CCURE migration is one of many projects we’ve done with them throughout the years. As we’ve identified a system enhancement or growth or conversion we needed to complete, we’ve been able to rely on them for sensitive timetables and adherence to the strict compliance requirements we are held to.
Here is a breakdown of our security program:
As mentioned above, we utilize the Software House CCURE 9000 platform. This comprises one Master Application Server and four Satellite Application Servers. We have just less than 23,000 cardholders. There are over 130 access control panels, supporting almost 1,000 doors (a couple hundred of these are badge-in/badge-out doors). Approximately 2,500 inputs and 1,200 outputs are integrated into the system.
Biometrics is in use at the high-risk areas with the templates on the card. This is a multi-factor authentication system that greatly reduces the risk of unauthorized entry as it requires the card, the pin and the biometric to release the door. Similarly, we have mantraps and turnstiles in place making it very difficult for an adversary to enter.
We manage our visitor credentials with the iPass Visitor Management system. Escorts are required for visitors and it is essential that we are able to audit visitor whereabouts.
The Avigilon video management system is primarily used to support approximately 800 cameras. All the cameras have been converted to IP, another ongoing migration. Many of these are IP cameras, but we’ve also utilized encoders where it makes sense.
We are beginning to implement video analytics. While innovation is at the core of what we do, it is also important that the proper analysis and vetting is done before installing a new piece of technology.
There are some other video management systems in play, including Intellex, March and American Dynamics.
While there are many video platforms that all function similarly and offer some unique benefits, the value of the video is how it’s used. We integrate our video with our access control system so we can monitor real-time, easily retrieve the video for specific incidents, and collect the information we need when we need it.
The GSRC is outfitted with a video wall display comprising four 50” monitors and nine 22” monitors. We monitor the alarms from the access control system, as well as the corresponding inputs. Another important function is monitoring travel. All TSYS Team member travel is monitored for potential threats. We don’t limit it to just executives. I’d like to say that this is just an added employee benefit, but in our line of work what’s really at stake is the risk of social engineering. It’s not just executives who are valuable and at risk, it is every single employee.
Big data is the current buzzword the security industry is discussing. In our business, it’s incredibly important. Our audits are all about the data. Our ability to function relies on the data, how it’s collected, how it’s managed and what it tells us. If we didn’t manage our security data effectively we wouldn’t be around anymore.
BIRS is the term we use, which stands for business intelligence reporting system. BIRS enables us to define the data we need and extract it from the systems we need it pulled from. This allows us to automate a process that is otherwise manual and prone to human error.
Our systems are also tied in via a web-interface from our Human Resources Department using personnel management software. On-demand reporting is accessible through a browser. By pulling data directly from HR, we are able to rely on the latest hires, terminations, and status changes.
Clearance Level Management
An organization our size constantly has requests to add, modify and terminate clearance levels. These transactions are subject to auditing and need to be documented and approved according to a strict policy. As a result, we created our own system we call “PASS” for managing online approvals. This system ensures that proper authorization has been granted prior to administering the changes. For example, we have a policy that requires separation of duties to reduce the risk of compromising the integrity of our security program. If someone makes a request that breaks this rule, the request will be denied and an automatic notification will be sent at the end of the day.
The corporate security team is broad and diverse at TSYS. Additionally, we have partnerships with third-party guard companies that we rely on to assess, respond and mitigate incidents. As with integrator relationships, we have to be clear about the expectations, needs, and procedures. Post orders are only effective when they are clearly written, simple and informative.
Additionally, the corporate security team communicates with several other departments on a regular basis. Security is at the core of our organization so others rely on us to perform their duties. As our policy has become more defined and structured, and the regulations have become more stringent, it is essential that we perform. Our ability to adhere to these policies and standards is necessary for our success. If we are out of compliance, the costs pile up, not to mention the relative risk, therefore, IT, Risk Management, and the Executive Management are heavily involved in our strategy and future.
Ongoing Innovation – Budgeting, ROI and Staying Ahead
Maintaining our accreditation is critical to our business, so we have to work those necessary components into the budget. Otherwise, you find yourself trying to obtain the resources when you are in the middle of a forest fire.
The budgeting process is never fun, never easy, and sometimes you don’t get what you ask for. But we’ve been successful by aligning our budget requests with our security policy. Because the policy is highly valued and mitigates our risk of non-compliance in an audit, we can more easily get funding for the enhancements we need as a result.
In order to take advantage of money when it’s available, and justify requests when we submit them, we are constantly evaluating new technology. We perform a rigorous review and testing and work with other end-users so we have a different set of data and input. When the opportunity arises, we have a recommendation ready to submit for approval.
As with most things, security management is not a one-man show. It requires a dedicated team to assess, design, maintain and operate the security technology, and buy-in from the company at all levels to enforce policies and standards. Keep your focus on the task at hand, but it’s also important to zoom out from time-to-time and see the big picture. Do you truly know where your security program is most effective today? Do you know where it’s ineffective? Do you have a plan to close the gap from where you are to where you want to be? Are you measuring the right benchmarks and moving the needle in the right direction? Do you have a long-term plan for your security program, taking into account the overall business strategy of the enterprise?
No matter where you are today, what funding you have available, or who makes the final decision… You have an opportunity to influence the security posture of the organization. So figure out what you can do today with the resources you have, what needs to happen next, and where you hope to be in the long term. Stay apprised of industry trends, corporate strategy and aligns yourself and your security organization the best you can. I can only imagine where we will be 22 years from now.
About the author: Jay Redden is the Security Director for TSYS.