Sacombank Streamlines PCI DSS Compliance Across Drives, Data Centers and ATMs | Blancco Case Study

Regulatory compliance is always front-of-mind for IT organizations within financial institutions. Protecting sensitive data across its lifecycle, including verifiable, secure erasure at the time of data disposal, is a critical part of fulfilling this obligation.

Sacombank, a large bank in Vietnam, implemented a broad range of Blancco data erasure solutions to meet the demands of strict data protection requirements, including directives from Vietnamese national banking authorities.

Highlights

Sacombank implemented Blancco secure erasure solutions to:

  • Unify secure erasure processes across PCs, mobile devices, servers, storage devices and virtual machines
  • Securely bulk-erase large numbers of loose hard drives from ATMs
  • Comply with State Bank of Vietnam regulations to protect customer data
  • Provide reporting and certification of completed secure erasure for audit purposes

Challenge

The banking, financial services and insurance (BFSI) segment includes some of the most highly regulated industries in the world. Processing vast amounts of highly sensitive personal and corporate financial data means data breaches carry an exceptionally high risk of harm to these organizations and their customers. Consequently, regulatory non-compliance can mean stiff financial penalties and other consequences.

In Vietnam, both the global Payment Card Industry Data Security Standard (PCI DSS) and State Bank of Vietnam Circular 18, 2018, mandate secure erasure of data storage assets and end-of-life data (such as no-longer-needed card holder information). This guards against the unauthorized access of corporate and personal financial and credit information. Data destruction must be certified with digitally signed reports to support audit requirements and provide assurance of complete data protection.

To meet its data protection obligations, Sacombank relied for years on physically destroying decommissioned drives and other storage media. While effective, the process was costly, time-consuming and lacked a centralized view of sanitization activity. Also, Sacombank needed an end-of-life solution for both IT assets and data. Because data often needs to be eliminated at a different time than the physical media it dwells on, physical destruction often doesn’t apply.

For strict yet cost-effective regulatory compliance, the bank also needed a streamlined, centralized way to perform and track data erasure across a range of devices, from laptops to virtual machines to ATMs.

Solution

Sacombank is one of the first commercial banks established in Ho Chi Minh City and is among the leading joint stock banks in Vietnam. Sacombank leadership wanted to streamline its sanitization processes, reduce costs and help its staff continue to meet or exceed its regulatory and audit requirements.

Erasing End-of-Life Data Throughout a Financial Services Institution

Like all large financial institutions, Sacombank processes and stores data across a wide variety of hardware, including mobile devices, PCs and laptops, data center equipment and loose drives from the bank’s fleet of ATMs. This data could be stored in active environments or on to-be-decommissioned IT assets. It could also live in physical, logical or virtual network storage. To meet erasure requirements in a consistent way, Sacombank turned to Blancco data erasure solutions.

Blancco’s enterprise-level products work together to provide verified data sanitization according to globally recognized standards. They also provide efficient workflows and centrally stored, tamper-proof audit reports.

To ensure regulatory compliance when disposing of its end-of-life financial services data, Sacombank used:

A Special Case: Erasing ATM Data

In addition, for its ATMs, Sacombank required an efficient way of securely erasing large numbers of loose magnetic drives at once. After being physically uninstalled, the drives are transported securely by armored truck to the bank’s data center, where an IT technician loads them into a Blancco 8-Bay Drive Eraser, an industrial grade server solution built to support a broad range of hard drives, including NVMe, SAS, SATA, M.2 and U.2 SSDs, x4 PCIe, Fiber Channel and SCSI. After the appliance erases the drives according to a Sacombank-selected sanitization standard, the system generates and stores a digitally signed report to certify successful data erasure.

Data Sanitization Reporting and Auditability

Blancco enterprise solutions and the Blancco 8-Bay Drive Eraser integrate directly with Blancco Management Console. This centralized point of control includes automation capabilities that optimize efficiency. With the additional benefit of providing an “auditor view” of erasure certificates, Sacombank’s on-prem installation of Blancco Management Console centralizes reporting and erasure management and complies with Circular 18 requirements for reporting and auditability.

Results

Blancco solutions provide secure erasure across Sacombank operations, including endpoint computing and mobile devices, data center equipment and loose ATM drives. This comprehensive, strategic approach makes it easy for Sacombank to use recognized data erasure standards that help them comply with PCI DSS and State Bank of Vietnam Circular 18 requirements. Blancco’s centrally stored tamper-proof reports also allow the bank to demonstrate full compliance with regulatory requirements for secure erasure when bank examiners conduct an audit.

“Blancco helps us in securely erasing all IT equipment in a secure and auditable way,” said Sacombank’s IT manager. “By securely erasing data at end-of-life, we can assure our end clients that we take care of their data with high priority till the very end of the data lifecycle and that we are compliant with all regulations.”

“Blancco provides a full-suite solution for all data erasure needs of the bank and helps us be fully compliant with requirements from PCI DSS and Circular 18 of the State Bank on data erasure.”

Sacombank IT Manager

About Sacombank

Formally named “Saigon Thuong Tin Commercial Joint Stock Bank,” Sacombank is a retail bank headquartered in Ho Chi Minh City, Vietnam, that operates 570 branches in Vietnam, Cambodia and Laos. In 1991, Sacombank became the first commercial joint stock bank to be established in Ho Chi Minh City, and two years later, it opened the first branch in Hanoi. Sacombank was also the first Commercial Joint Stock Bank of Vietnam to be listed on Ho Chi Minh City Stock Exchange, in 2006; it has the stock code “STB.”

During its three-decade history, Sacombank has developed its presence in rural areas, bringing the first access to financial funds for these communities. The bank has also worked to diversify its financial services and products to be more comprehensive, meeting the changing needs of customers.

About Blancco

Blancco is the industry standard in data erasure and mobile device diagnostics software. Our data erasure software provides thousands of organizations the tools they need to enable sustainable data sanitization processes across the widest array of IT assets. By focusing on erasing and reusing assets instead of physically destroying them, organizations can improve their security posture and address corporate social responsibility requirements, while also ensuring compliance with local and global data privacy requirements.

Blancco data erasure solutions have been tested, certified, approved and recommended by 15+ governing bodies and leading organizations around the world. No other data erasure software can boast this level of compliance with the rigorous requirements set by government agencies, legal authorities and independent testing laboratories. All Blancco erasures are verified and certified, resulting in a tamper-proof audit trail.

For more information on what Blancco can do for your enterprise, contact us today.