Hughes and IBM Internet Security Systems

Increasing security and reducing costs with IBM Internet Security Systems.

Download (79.3 KB)

Providing a secure environment for retailers worldwide Retailers today are threatened with customer identity theft by hackers and sophisticated cyber­crime attacks. Whether a retailer is providing e­commerce or simply processing credit card data electronically, security threats such as identity theft and fraud can have far­reaching financial impact, involving customers, retailers and credit card issuers.

Hughes Network Systems, LLC ( is the global leader in providing broadband satellite networks and services for large enterprises, governments, small businesses and consumers. Its HughesNet service offering encompasses all broadband solutions and managed services from Hughes, bridging the best of satellite and terrestrial technologies. Hughes has shipped more than 1.2 million systems to customers in more than 100 countries. Headquartered outside Washington, D.C., in Germantown, Maryland, Hughes maintains sales and support offices worldwide. Hughes is a wholly owned subsidiary of Hughes Communications, Inc. (NASDAQ: HUGH).

As a managed network service provider, Hughes securely connects the distributed enterprise, enabling customer relationship management (CRM), enterprise resource planning (ERP) and credit card processing services. Many of its customers are retailers. In 2004, a group of payment card issuers established the Payment Card Industry Data Security Standard (PCI DSS) to bolster electronic networks against customer identity theft. Credit card issuers such as Visa, MasterCard, American Express and Discover now require retailers and their service providers to comply with strict PCI DSS requirements or face serious financial penalties in the event of credit card data theft. Just as retailers must meet PCI compliance standards, so must Hughes as the managed network service provider carrying their credit card transactions.

“The biggest surprise was how quickly the initial assessment, remediation and compliance report were completed.”
—Doug Medina, senior director of enterprise marketing, Hughes Network Systems

“Hughes has long been trusted by retail customers for its security, speed, effi­ciency and affordability when it comes to carrying customers’ credit card data,” says Doug Medina, senior director of enterprise marketing for Hughes. “We already followed ISO­9001 standards and maintained stringent security policies, but in our case, PCI compliance requires an annual audit from a third party. That's when we turned to IBM Internet Security Systems.”

Supporting compliance with a Qualified Security Assessor

According to PCI DSS, Hughes qualifies as a Level 1 Service Provider. This means Hughes must use a qualified third­party vendor to complete the annual PCI Report on Compliance (ROC). Only approved and certified companies and assessors are permitted to conduct third­party ROC assessments, which immediately nar­ rowed the list of potential providers.

IBM Internet Security SystemsTM (ISS) is classified as a Qualified Security Assessor (QSA). Hughes selected IBM ISS based on the expertise of its secu­ rity analysts and the content of its IBM Professional Security Services for PCI compliance. IBM ISS is a trusted security advisor to enterprises world­ wide and was well positioned to work as Hughes’s advocate throughout the compliance process.

In the first step, IBM ISS performed a three­day security assessment of Hughes’s network and security archi­ tecture, working closely with Hughes’s technical resources. Hughes was impressed with the depth of experi­ ence and knowledge of the IBM ISS assessor. “Our IBM ISS assessor came to us already prepared with advice and made the entire process extremely efficient,” says Medina. “He was techni­ cally adept and security savvy so he was able to conduct a detailed, specific assessment of our systems with very little learning curve.”

Hughes’s network security standards and policies were well established, but Hughes wasn’t sure how well until the assessment was completed. During the process, the company identified a need for more formal documentation for com­ pliance. It requested technical guidance from IBM ISS for securing transactions in the approved manner. The time from the beginning of the assessment to the sub­ mission of the ROC was less than four months for Hughes and IBM ISS. “The biggest surprise was how quickly the initial assessment, remediation and com­ pliance report were completed,” says Medina. “We were compliant before the deadline and now that we’ve established some history, familiarity and documenta­ tion with IBM ISS, we will turn to them for future assessments as well.” This is no small feat, as the PCI deadlines come quickly and have taken many providers by surprise.

Turning PCI compliance into a customer benefit

Hughes is one of only a handful of man­ aged network service providers to have received a Protection of Cardholder Information Data Security certification. Of more than 250 companies consid­ ered to be compliant by Visa USA’s Cardholder Information Security Program (CISP), Hughes is one of only nine com­ panies certified for transmission of credit card information. Of those, Hughes is the largest managed network services company, with more sites under man­ agement than any other provider on the list. In addition, Hughes has a long his­ tory of providing enterprise networks to carry credit cards, dating back to the first Wal­Mart wide area network (WAN) deployment. Today Hughes carries more than 10 million financial transactions to seven credit authorizers each day from more than 19,000 restaurants and gas stations throughout the United States.

To be PCI compliant as a service pro­ vider, a networking company must address network operations processes and procedures as well as network architecture. Hughes has made signifi­ cant investments in Network Operations Center infrastructure, remote equipment and business processes. Hughes’s system engineers and professional ser­ vice experts understand the complexities of PCI DSS compliance. As a result, the company can create solutions that readily interface with existing customer equipment, making it easier to deploy PCI­compliant solutions for its customers. And Hughes’s certification ensures that its WAN meets PCI standards.

Now by choosing Hughes, retailers will already have a managed network service provider that can offer a PCI­ compliant WAN, virtual private network (VPN) over the Internet, or a private network configuration.

Business users must be confident that they are not just making due by employ­ ing a network alternative that merely skirts security standards. Hughes cus­ tomers have confidence that they are meeting compliance guidelines. At the same time, the cost and complexity of establishing a PCI­ compliant transac­ tion architecture is not insignificant. The time required for retailers to achieve compliance on their own, compounded by the time and expense of PCI DSS audits by third­party security certifica­ tion providers, builds a compelling case for working with service providers like Hughes.

“[Our IBM ISS assessor] ... was technically adept and security savvy so he was able to conduct a detailed, specific assessment of our systems with very little learning curve.”
— Doug Medina, senior director of enterprise marketing, Hughes Network Systems

Working with IBM to strengthen customer loyalty

Now PCI DSS compliant and with a strengthened service offering, Hughes is able to offer enhanced interface capa­ bilities to its retail customers worldwide. IBM ISS expertise in security and PCI compliance, together with its QSA status, delivered a rapid, efficient auditing and remediation solution that ensured that Hughes would retain its respected posi­ tion as a trusted service provider to its valued customers.

Customers are assured that Hughes Network Systems meets the highest stan­ dards of transaction processing security and that their data is protected and secure. At the same time, Hughes has strengthened the perception of its brand in a highly competitive marketplace.