Case study: Travelex aims for security compliance

The foreign exchange firm steps up staff awareness and buy-in of IT security policies as part of a wider compliance-driven project

New tool increased awareness of IT security and reduced the risk of data leakage

Foreign exchange firm Travelex has implemented a tool to share and capture staff responses to IT security policies and risk assessments as part of its efforts to become compliant with the Payment Card Industry Data Security Standard (PCI DSS).

With more than 6,500 staff worldwide, the firm rolled out the software to ensure effective communication to staff on policies around IT security and compliance and maintain best practice standards.

Prior to introducing the new system, internal alternatives such as email, intranet and even a paper-based solution were considered to fulfil the firm’s requirements, but given the scale of the task and impracticalities such as the need for staff signatures, such options proved unviable.

“We recognised that compliance with the [PCI] standard would be an issue for us without using a specialised tool,” said Travelex IT security manager Duncan Phillips.

“However, with other regulatory commitments and business requirements, we sought a solution that would tick a lot more boxes than PCI.”

According to Phillips, the ability to disseminate and capture employee reactions to IT security rules combined with the scalability provided by the system for use in business areas such as HR and training, allowed the security team to gain senior buy-in for the project.

“We recognised straight away that beyond the IT security policy delivery there was going to be room for expansion and added value,” said Phillips.

“When we demonstrated the adaptability and the power and scale of the system, it was immediately obvious to senior management that there were lots of different ways that we could use it, to fulfil other requirements beyond the basic delivery and click-to-agree functionality.”

Benefits gained from the use of the system to date include an increase in staff understanding, awareness and buy-in for Travelex’s IT security and compliance policies, protection of corporate infrastructure from malware and viruses and a reduced risk of data leakage.

The foreign exchange group said that user feedback was “extremely positive” and that it will make further investment on the platform in 2009. Upcoming regulatory milestones include the incorporation of Travelex’s anti-money-laundering policy to the system as well as further integration into other parts of the business.

Travelex aims to become fully PCI-DSS compliant this year.

The MetaCompliance software the company used was provided by supplier Baronscourt.