How ALTR Helped Q2’s Biller Direct Offering Become Level 1 PCI DSS Certified in 30 Days
By James Beecham, CTO at ALTR
By John Nguyen, Sr. Partner Solutions Architect at AWS
Q2 is a publicly traded, Austin, Texas-based financial experience company that provides digital banking and lending solutions to banks, credit unions, alternative finance, and fintech companies in the U.S. and internationally.
In this post, we’ll focus on how Q2 worked with Austin-based ALTR, an AWS Partner and provider of data security as a service that runs exclusively on Amazon Web Services (AWS), to launch a PCI DSS-compliant application in a fraction of the time it normally takes to achieve certification.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards. The PCI standard is mandated by the card companies but is administered by the Payment Card Industry Security Standards Council.
Q2’s Biller Direct application provides a centralized payment environment where users can enroll, manage their bills, and view projected spend.
As they prepared to launch the Biller Direct application, Q2 faced a challenge in that the application made them responsible for a windfall of sensitive payment data (more than 250,000 new credit card numbers) that would be subject to PCI DSS.
For this application to succeed, Q2 needed to become PCI-certified so they could prove to regulators and customers that all of the valuable data would be safe. As the go-live date for Biller Direct approached, the team had to quickly find a solution.
To ensure Biller Direct received proper certification in time, and to not place their already existing data centers and cloud operations within PCI scope, Q2 made the decision that a distinct and separate cloud environment was needed to run and scale the new application.
This decision created a complex environment which required a partner that specialized in protecting sensitive data in the cloud.
ALTR is a leading provider of data security delivered as a service for data of all types and formats. Their highly credentialed software-as-a-service (SaaS) environment runs exclusively on AWS and provides a suite of integration options, including database drivers, REST APIs, and native integrations into leading cloud data warehouses.
ALTR’s platform can be used in any application to help observe data access, protect data at rest with tokenization, and prevent SQL injection as well as credentialed access threats to data. All of this can be achieved with minimal application changes, mostly to configuration, and all without needing to install or run additional infrastructure components.
Figure 1 – Simple system diagram showing ALTR Database Driver as part of the AWS service.
ALTR’s database drivers can be configured to tokenize and detokenize data transparently for applications.
When tokenized data is requested by an application, ALTR invokes data governance logic to ensure detokenizing the data is safe and appropriate. This logic can include user/role access rules, as well as access rate thresholds, limiting the application’s ability to get plain text data from the database.
When properly configured and within governance rules, plain text information flows back to the application just as if it were stored in the database in plain text.
Figure 2 – Fragmentation and encoding schemes provide seamless delivery of tokens without client involvement.
This ease-of-use and high control position of the database driver made the ALTR solution uniquely appealing to Q2’s Biller Direct team, leading to a purchase and integration.
Following, we will detail the steps Q2 took to become PCI Level 1 certified in less than 30 days using ALTR’s advanced data security platform.
The Path to PCI in the Cloud Starts with Data
Success with any application that wants to touch or process PCI typed data requires limiting the scope of the application or infrastructure that needs to be reviewed. Without this reduction in scope, the cost and time of compliance can make the economics of the application upside down.
With the idea of putting Biller Direct application on AWS, the team at Q2 first needed to decide upon a database technology to hold the credit card information.
The Biller Direct application was built using a relational database typically suited for this type of work, which made the selection of Amazon Relational Database Service (Amazon RDS) straightforward for the teams.
ALTR’s wide array of support for structured databases allowed Biller Direct to pick any flavor of Amazon RDS eventually selecting Amazon RDS for MariaDB.
Data Access Isolation
Continuing the process of reducing scope, it was decided that a single AWS Fargate container written in Java would be the sole access and processing point for the PCI data.
This decision made the process of securing data access much simpler, as there would be only one application service in scope for PCI assessment. This meant the insertion of the ALTR Smart Database Driver into a single application service would be extremely easy.
Figure 3 – Single Fargate instance in PCI scope due to ALTR integration.
Ready for ALTR’s JDBC Integration
With the Biller Direct infrastructure mapped and built out on AWS, it was time to introduce the security solution required to store and access sensitive PCI data within the cloud.
The following steps were completed in this order:
- Packaged the ALTR JDBC Driver and dependencies into base Amazon Machine Image (AMI) for use in the Biller Direct service.
- Connected Biller Direct’s Amazon Virtual Private Cloud (VPC) to the ALTR SaaS VPC using AWS PrivateLink. This step prevented sensitive information from ever leaving the AWS backbone.
- Modified the service’s database connection information to select the ALTR JDBC Driver for MariaDB.
- Using the ALTR SaaS portal, configured both tokenization and access rules/limits for PCI data flowing through the ALTR JDBC Driver.
Packaged ALTR JDBC Driver with Base AMI
Installation of ALTR’s JDBC driver is compatible with Windows and Linux and can be automated. For Biller Direct, ALTR used the Linux command line utility to install all required Java JAR files into the proper location within the file system.
Once this was completed, a new base AMI was created and used within all subsequent container deployments.
Figure 4 – Simple list of dependencies now a part of base machine image.
Connected Biller Direct to ALTR SaaS
Using all of the built-in features of AWS PrivateLink, the Biller Direct operations teams made the request to link the two environments. ALTR’s operations team was able to respond to this request quickly, making the networking of the two services seamless and simple.
Now, all PCI-related data would be flowing not over the public internet but between the ALTR Smart Database Driver and ALTR’s SaaS platform through AWS’s backbone.
Figure 5 – AWS PrivateLink makes communication secure and simple.
Modified Biller Direct to Utilize ALTR JDBC Driver
ALTR’s JDBC Database Driver is fully compatible with the Java DatabaseManager class, which means taking advantage of ALTR’s driver within the Java application is extremely simple.
A modification of the connection string is all that’s required for applications to begin using the ALTR Database Driver. The addition of the word ‘altr’ in the URL or driver class section triggers the Java driver manager to instantiate the ALTR JDBC driver for the application.
Figure 6 – Small change on lines 11 and 13 to include ALTR JDBC Database Driver.
To the Biller Direct application, ALTR’s JDBC driver is a fully compatible JDBC interface, removing the requirement to change any other aspects of the application to take advantage of the security tool.
Under the covers, the ALTR JDBC Driver simply instantiates the “golden” driver provided by the operating system to connect to the database. This makes upgrading and using the ALTR driver in the Biller Direct application extremely easy.
Figure 7 – ALTR JBDC Driver.
Configured the Security Settings in ALTR’s SaaS Portal
Biller Direct security engineers had the final step of configuring the ALTR JDBC Driver to understand where PCI was located in the Amazon RDS instance, as well as how much data access should be expected. These simple configuration changes allowed Biller Direct to “protect,” or tokenize, the PCI data in question.
Figure 8 – ALTR’s simple, no-code interface for configuration of data protection.
ALTR’s advanced data security platform also allows for controlling of data in use, placing limits on how much data can be detokenized by the driver for a given time period or access amount. These advanced features are a critical component of becoming Level 1 PCI certified.
It’s not enough to just tokenize data in a database and expect the highest PCI certification. The use or consumption of that data must be logged and controlled. This is difficult to do when the logic to do so falls into your lap.
However, this is easy to do with the ALTR Smart Database Driver as Biller Direct discovered, making credentialed threats or SQL injection attacks non-starters for their customers’ data.
Figure 9 – User-defined policy to limit how much PCI data can be consumed.
With little distraction and minimal changes, Q2 was able to launch Biller Direct safely in the cloud for their customers without delay or missing deadlines.
The Level 1 PCI review was smooth and easy, and was conducted by a leading Qualified Security Assessor service based in Chicago. ALTR’s data security as a service was so critical to the process that the use of ALTR was named in the Attestation of Compliance for the Biller Direct product.
It’s important to note that at rest protection of data alone did not qualify Biller Direct for Level 1 PCI status, but rather the holistic approach to security detailed above by ALTR. The combination of controlling at rest protections with real-time breach and threat mitigations are necessary steps to achieve Level 1 PCI. All of these steps are provided natively by ALTR and delivered as SaaS.
“ALTR showed us a vision for solving our PCI compliance and operational security challenges that exceeded what we expected to find in the market,” says Adam Blue, CTO at Q2. “The combination of transparency in tracking access to our data, the ability to enforce policy in real-time, and the blockchain storage option for protecting sensitive data was not available from anyone else we evaluated.”
Biller Direct has been a huge differentiator for Q2’s customers, turning a cost center into a profit center for any bank or credit union doing bill pay. The solution scales together natively as both systems are built to run in the cloud.
ALTR – AWS Partner Spotlight
ALTR is an AWS ISV Partner whose no-code cloud platform provides data intelligence, governance, and security to enable the data-driven enterprise.
*Already worked with ALTR? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.