PCI DSS compliance: Two-factor to protect financial information
As an e-commerce retailer, Threadless needed to meet PCI DSS (Payment Card Industry Data Security Standards) compliance in order to securely process online orders.
After undergoing a security audit, they were told they needed to implement two-factor authentication to protect the personal, financial and transaction data of their customers, according to their IT Infrastructure Manager, Tristan Hammond.
Previously, Threadless had settled on using RSA’s two-factor solution, but suffered through a long and painful deployment process, as well as innumerable support issues post-setup.
While using RSA’s mobile apps, Threadless employees were experiencing all kinds of authentication errors. Tristan spent a lot of time on the phone with RSA’s customer service trying to track down why authentications were failing so often, but never received an answer from the company.
Frustrated, they started looking for a new two-factor solution that would solve their headaches - shortly after, they found Duo Security, by referral from a developer friend, the former CTO of Obama for America, Harper Reed.
Ease of use, simplicity, confidence & trust
Tristan was attracted to Duo Security’s solution for its ease of use and simplicity - both when it came to implementation and actual client use. Cost-effectiveness was also a factor, since RSA’s shortest contract term requirement was three years.
Threadless had also lost confidence and trust in RSA as a company.
“[RSA is a] security company that’s proving itself to not be secure anymore...when you get to a place where you’re using a corporate-y solution from a company that appears to be more concerned with their profit than security, it makes you feel kinda gross and uneasy,” said Tristan.
Building a relationship with Duo
For Threadless, confidence and trust came from great communication with Duo Security’s CEO and co-founder, Dug Song.
“It was more like building a relationship instead of just buying or being sold on a product,” said Tristan. “It’s very apparent that security is a prevalent concern for Dug; which is very good when you’re running a security company.”
Deployment: Remarkably fast and easy
With Duo’s self-enrollment feature, Threadless employees were able to choose which authentication method they wanted to use when they signed up. Using two-factor authentication lets their in-house staff work remotely while still securely accessing local assets only available on the Threadless network via their Juniper SSL VPN.
Each team from Threadless uses Duo Security’s two-factor solution to safeguard different types of sensitive information. The Threadless engineers and developers use two-factor to protect access to their AWS (Amazon Web Services) infrastructure, including databases that house customer information. The finance team uses two-factor to protect access to financial documentation stored both locally and in the cloud, while the product and creative teams use the solution to protect raw photo assets.
According to Tristan, testing was easy with their VMware setup - they were able to easily light up a couple of virtual boxes and use another VPN appliance for testing internally. This allowed them to try out Duo’s two-factor without removing what they already had in place.
Switching over was also incredibly simple. “I changed a few IP addresses and hostnames, and we were done.”
There was silence
Tristan rolled out two-factor after testing the solution with a few users from each department. After that, “there was silence.”
“I haven’t gotten a single complaint about it. If no one’s talking about it, that’s a good thing - nothing’s broken,” said Tristan. “Our overall experience with Duo has been extremely easy - that’s not something that always happens in the technology world...I would definitely recommend it.”