For over thirty years, Wakefield, Massachusetts-based Primax has been delivering a full range of credit and debit card, and merchant-acquiring programs to its clients. Complying with the Payment Card Industry Data Security Standard (PCI DSS) is critical to Primax and its customers – banks, credit unions and businesses – throughout the United States. Primax was using PGP encrypted email to transfer data files with their customers, but a recent PCI security assessment indicated that they needed a more secure solution to comply with PCI DSS standards.
As a Business Analyst and Developer on the Primax Information Technology team – a small group that supports eighty employees and over one hundred clients – John Erwin wears many hats. One of his responsibilities was leading the search for a secure file transfer solution. “We conducted a very thorough search and looked at a dozen different products,” John said. “Security, reliability, and ease of use, through a web-based interface, were all important to us, as was a solution that used FTP with SSH standards-based protocols. Pricing was also a factor.” Primax customers often have multiple users, and John did not want to grapple with managing per-user licensing each time a new user was added.
With positive experience using Progress’s WS_FTP Server, John expected that Progress would make his short list. After full evaluation, Primax chose Progress MOVEit Transfer for its managed file transfer solution. “There were a number of elements that went into our decision,” John reported. “For one, having data encrypted in transit and at rest was key for PCI compliance, which is obviously critical in our business. Ease of use for our client-side users is very important for us, and MOVEit (DMZ) fits the bill for both our technical and non-technical end users. A final deciding factor was the pricing model, which gave us the flexibility we were looking for.”
Each day, Primax exchanges several hundred files with its customers and partners. These include 20-30 scripted processes that run daily, as well as many ad hoc uploads and downloads. The types of files exchanged include spreadsheets, basic credit card validation reports, and fraud reports, and the files typically contain sensitive personally identifiable information, the type of data that PCI standards cover. Files exchanged using MOVEit Transfer (DMZ) are protected in transit and at rest, using proven encryption (FIPS 140-2 validated AES), receiver authentication, and delivery confirmation. MOVEit Transfer also enables Primax and its customers to enforce user, system, and file security policies. The security hardening process, which is wizard-based, is simple to use. One example of how this stringent security is implemented for Primax and its customers is the handling of fraud reports, with only certain groups authorized to access these reports. “Being able to set access rights like these takes us far beyond what we could do with the basic inbox-outbox functionality of traditional FTP products,” John Erwin says.
While meeting PCI security standards for file transfer was a major motivation for Primax adopting MOVEit Transfer, the company also recognized its legacy PGP encryption approach placed a tremendous administrative burden on clients who had to manage encryption keys, deal with lost keys, worry whether someone has used the correct key to encrypt and decrypt files. With MOVEit, these tedious and error-prone tasks are eliminated. Users can directly download the information they need.
While moving their PGP-based tasks to MOVEit, Primax also decided to migrate Progress’s WS_FTP file transfers. This provides the benefit of having a single, centralized platform for the management, administration, and control of all file transfers.
Overall, Primax’s clients have found MOVEit Transfer’s administration and end-user management processes simple to use. This is especially helpful for companies whose administrators don’t have significant technical skills. That same ease of use enables Primax and its clients to build custom notifications for end users with little effort.
Visibility into file status has proven to be a delight for Primax and its customers. A simple click on a link to a file yields a full audit trail, showing who has uploaded or downloaded files, when the files were accessed, and more. “Information that was once difficult, or even impossible, to access is now available self-service. This is a big productivity win for both our customers and our internal users. Our clients just love it,” John says.