C A SE S TUDY

PayFlex Bolsters Web Application Security and Visibility with Imperva

2

C A SE S TUDYPayFlex Bolsters Web Application Security and Visibility with Imperva

Customer

PayFlex Systems USA, Inc. 10802 Farnam Drive, Suite 100 Omaha, NE 68154

Requirements• Meet compliance and security

requirements as quickly as possible• Ease of use• Fits with current infrastructure

and development processes

Solution

The Imperva SecureSphere Web Application Firewall provided much needed visibility into PayFlex’s applications

Bottom Line• Fast time to deployment• Application visibility• Complements PayFlex’s Secure

Development Lifecycle

Overview

PayFlex is a third-party administrator working directly with employers to administer their benefit spending accounts, COBRA and Transit programs. PayFlex has been in business for the past 20 years and is based in Omaha, Nebraska.

Security Challenge

Medical savings accounts have become a standard part of many Americans’ lives. Millions of people allocate money for medical treatment or drugs and, come tax time, use these expenditures as a write off. To facilitate the process, PayFlex provides consumers a specialized debit card for medical transactions including co-pays and drug purchases.

The convenience provided by a dedicated debit card for medical expenditures, however, is balanced by the potential security and regulatory considerations. PayFlex sits on the debit card numbers for each of their consumers as well as their claim data. “We have a responsibility to hold ourselves to the highest security standards to protect our customers and their employees,” explains Jason Weiss, VP of Technology from PayFlex.

Since PayFlex stores debit card and healthcare data, regulatory compliance is a major consideration. PayFlex must contend with:

• PCI: While PCI mandates basic network security controls to protect cardholder data, PayFlex also builds many of its own custom applications. In this case, PCI requires a WAF or code analysis. “I can put in place a WAF or I can do yearly code audits that provide an occasional security snapshot. From a cost standpoint, it’s a no brainer—WAF makes the most sense. While we teach developers proper coding techniques, bad code can slip through the cracks. The WAF is our safety net in case something is missed.”

• HIPAA: The HIPAA standards require that enterprises must prevent health information from walking out the door. Liability for a breach is expensive—up to $1.5 million since the implementation of the HITECH Act. The WAF provides an additional layer of protection against potential incidents.

Technical Environment

To protect its web-based transactions from hackers, PayFlex deployed the Imperva SecureSphere Web Application Firewall.

SecureSphere delivers total visibility into data access and usage. The easy-to-use interface provides granular policy creation and enforcement to circumvent unauthorized access or changes to data.

3

imperva.com

© 2014, Imperva, Inc. All rights reserved. Imperva, the Imperva logo, SecureSphere, Incapsula and Skyfence are trademarks of Imperva, Inc. and its subsidiaries. All other brand or product names are trademarks or registered trademarks of their respective holders. CS-IMPV-PayFlex-0116-v1

C A SE S TUDYPayFlex Bolsters Web Application Security and Visibility with Imperva

Why Imperva?

PayFlex selected Imperva over other vendors of several reasons:

• Fast time to deploymentQuick deployment means quick compliance and security. Mr. Weiss explains, “With Imperva, our WAF was up in less than a week. This dramatically improves our speed to security and compliance. Additionally, this means my security team can focus on other priorities.”

• Application visibilityImperva SecureSphere gives the network team a better idea of what happens on the application side. “Imperva helps our network team understand what applications are actually doing. They know what kind of requests PayFlex is getting and whether they are friendly or suspect.”

• Complements PayFlex’s Secure Development LifecycleImperva gives the PayFlex development team much needed visibility into application attack characteristics, helping developers prioritize their secure coding efforts.

“Imperva helps our network team understand

what applications are actually doing. They know

what kind of requests PayFlex is getting and

whether they are friendly or suspect.”

JASON WEISS, VP OF TECHNOLOGY,

PAYFLEX