Mercury processing services international secures growth with GDPR and PCI compliant data protection


Mercury Processing Services International is a payments processing company based in Croatia and Slovenia. They serve over 5.6 million accounts in the financial and banking sectors across Europe, the Middle East and Africa and on average they process 1.5 million transactions per day. Technological expertise is the main driver of enhancing and enriching their existing business relations, as well as the main source for the innovations that they provide in the payment industry.

case study
  • Payments processor handing 1.5 million transactions per day now compliant with PCI and GDPR data security requirements by rendering all sensitive data unreadable.
  • Efficient data protection will enable Mercury to process even greater volume of transactions.
  • Highly flexible and scalable solution implemented quickly and easily.

The project began with tackling the PCI requirement of protecting cardholder data and later expanded to cover the protection of additional data elements in order to comply with the GDPR.

According to PCI Requirement 3.4, cardholder data must be rendered unreadable wherever it is stored. Cardholder data is defined as a Primary Account Number (PAN) and any data that can be tied directly to a specific PAN, such as the cardholder’s name.

GDPR requirements go a step further as they require similar protection for personal data. Personal data has a much broader scope than cardholder data and is defined as any data that can be traced back to an actual person, including a name, address, nationality, biometric data, etc.

Additionally, both the GDPR and PCI DSS stress that sensitive data should only be visible on a need-to-know basis within the organisation and among its partners. That means that it should also be rendered unreadable within the organisation to avoid accidental exposure to insiders and partners.

Mercury needed a solution that would properly protect all of these types of data not just for the sake of compliance, but also so that they would have another layer of protection that would render data useless to potential hackers. Hackers are constantly devising new ways to crack into systems so it is essential to have a data-centric solution at the core of the organisation’s data security strategy so that in the event of a breach, the data accessed has no exploitable value.

Data Protection with a Light Footprint

Mercury processes on average 1.5 million transactions a day, so they needed a solution that could be implemented without interrupting the business or affecting service levels. Tokenisation offers protection without the performance pitfalls of classic encryption by preserving the format and utility of the protected data so that business applications and analytics can operate on tokens rather than sensitive data in the clear.

In addition, SecurDPS in highly flexible and scalable so it could be implemented without any changes to source code. This meant that the solution could not only be implemented in a matter of weeks rather than months, it was also done without affecting service levels.

Mercury chose comforte’s SecurDPS to protect their data as it fulfilled their data protection requirements and could be implemented quickly and easily, without interrupting the business.

Data-Centric Security

SecurDPS reduces business risk as it replaces in-the-clear sensitive data with a token value that is meaningless if it is exposed. A data-centric security strategy protects the data itself so that even if all other security measures fail, the data at the core will still be unexploitable. This also fulfils the PCI and GDPR requirements for no sensitive data on core enterprise components.

Furthermore, tokenized data is protected from accidental exposure to unauthorized insiders and third party vendors as it can only be accessed with proper authorisation. This helps reduce dependency on compensating controls as a temporary measure to pass security audits and fulfils the PCI and GDPR requirements that sensitive data only be accessible on a need-to-know basis.

The benefits of this project go beyond fulfilling PCI and GDPR requirements for data protection. In the unlikely event of a data breach, all sensitive data will be unreadable and have no exploitable value to hackers, which greatly reduces the impact of a potential breach.

Furthermore, tokenised data will help secure Mercury’s growth as it is now much easier for them to exchange data with partners and customers while keeping sensitive data protected. Since they no longer rely on compensating controls and can do business much faster, they will be able to get the most out of the rapidly growing market and provide processing services to more customers than ever.

  • Fulfil key data security requirements of GDPR and PCI DSS
  • Reduce risk and potential impact of data breaches
  • Protect sensitive data to enable secure transfer between insiders and partners
  • Maintain service levels

"We were very satisfied with comforte’s readiness to handle whatever requests we had, wherever and however they arose. Their dedication and diligence were essential to this project’s success."

– Giovanni Cetrangolo, Head of Strategic projects and innovation at Mercury Processing Services International