CGIs Finance Ministry Solution

Lowering Costs with PCI-compliant SOA

CGI, a 30 year old Systems Integrator with over 27,000 employees and more than 100 offices worldwide, is used to repeat business. After all, with an 8.8 out of 10 satisfaction ranking in 2007 from CGIs ISO 9001:2000-certified client management process, CGI has a history of helping clients achieve superior results. In this case, a government finance ministry, which acts as a central organization that offers advice to the government in the budgetary, fiscal, economic, financial and accounting fields, wanted CGI to convert their original application-based payment gateway solution to a PCI-compliant, Web services-based one. There was just one problem this would be the first SOA project undertaken by CGIs Financial Services arm, and they were only being given 6 months to complete it.

CGI by the Numbers

Founded in 1976 Revenue run rate of CDN$3.8B Backlog of CDN$12.03 billion Approximately 27,000 employees More than 100 offices serving clients in 16 countries 45 of 50 top banks in NA and EU 11 of 15 largest insurers globally 7 of 10 largest global Telcos 100s of government agencies

The Business Challenge

Many government ministries offer some kind of fee-based service to the public, and encourage online payment for these services via credit card. For example, the public can access government web sites to pay speeding tickets, purchase recreational fishing licenses, or book national park campgrounds online. In CGIs original solution, inputting a credit card number invoked their payment gateway at the finance ministry, which then acted as the central clearing house. Fundamentally, the payment gateway was technologically sound, but adding new merchants incurred a large IT overhead. To control costs while expanding their portfolio of fee-based services, the government required a more flexible way to add new Ministries and/or new Ministry services on an ad hoc basis. Additional criteria included support for encryption and digital signing that would be part of an overall push toward PCI compliance.

Introducing SOA Layer 7 Proves Key

After consulting with their SOA Center of Excellence, CGI proposed migrating the existing application-based payment gateway to a Web services model with the goal of creating a more secure, standards-based, PCI compliant solution that would feature a lower total cost of ownership. For the security layer, CGI compared a number of commercial off-the-shelf vendors (as well as building a solution themselves) and decided that the Layer 7 SecureSpan Gateway (Gateway) provided the most robust solution, offering not only centralized enforcement of security policies but also an XML VPN Client that could be easily installed at each ministry to automatically negotiate the security and credentialing handshake between the client application and the SSG, eliminating the need to recode, test and deploy each client application. Because the existing IT infrastructure varied widely from ministry to The XML VPN Client ministry, this functionality would greatly reduce the time to deploy the overall could be easily installed solution. at each ministry to automatically negotiate The Solution the security and The greatest effort centered around re-creating the old API-based transaction credentialing handshake, application as a set of Web services. By carving up the monolithic application into eliminating the need to discrete pieces of functionality, CGI could institute a series of steps required to validate recode, test and deploy and process each transaction, as well as simplify the addition of new ministries as each client application. payees. For example, one Web service converts SOAP messages to an HTML format

CGI and Finance Ministry Case Study

and submits it to the existing ASP-based Web interface, which in turn submits it to a handler behind several based security zones. The handler sends the response, including a transaction ID, which the client must send back to confirm the transaction, otherwise the transaction is rolled back. he The SecureSpan Gateway allows CGI to define and enforce security policies at run-time, as well as perform XML , schema validation for threat protection The Gateways native X.509 capabilities are used to provide an alidation protection. provi authentication/authorization framework in conjunction with the finance ministrys existing LDAP service. The inistrys service Gateway also provides message level cryptography including signature validation and decryption of incoming cryptography, content.

The Results
Today, over 20 Ministries are taking ad advantage of the new PCI-compliant credit card payment system, with more system being added every month on an ad hoc basis. We made a good decision two years ago in Centralized enforcement of security policies gave CGI consistent security across all choosing Layer 7s applications thereby eliminating the time and effort associated with coding and applications, SecureSpan Gateway, and maintaining security details in each back back-end application. we are very satisfied with The XML VPN Client allowed CGI to essentially drop in a software solution that the results! would handle all encryption, digital signing and other credentialing independent of Marc Bourassa, Director, the client application while ensuring PCI compliance. This allowed CGI to avoid . Consulting Services, having to code (and subsequently test and deploy) security requirements in each of ) Financial Services Sector, CGI Group, Inc. the Ministrys client applications a key capability in allowing CGI to meet project timelines timelines.

Copyright 201 by Layer 7 Technologies, Inc. (www.layer7tech.com). 2011 All other trademarks are the property of their respective owners Layer 7 Internal Use Only owners.