INDUSTRY: Financial Services
BUSINESS: Australian Payments Plus (AP+) offers a range of payment capabilities, including Australia’s domestic debit network, real-time payments infrastructure, secure bill payments, digital identity exchange, QR code payments and experiences, and open wallet solutions.
SIZE: 350 employees
BUSINESS PROBLEM: Following the merger that created the company, AP+ set out to discover all on-premises and cloud assets across the enlarged enterprise and proactively scan them for vulnerabilities. How could AP+ gain fine-grained insights into thousands of assets?
SOLUTION: Qualys VMDR® with TruRisk plus integrated apps for asset identification and management, vulnerability management, threat detection and prioritization and response; Qualys TotalCloud
Australian Payments Plus (AP+) brings together Australia’s three domestic payment organizations, BPAY Group, eftpos and NPP Australia, into one entity – securely processing over 4.2 billion payments in 2022 alone.
Trevor Cushen, General Manager, Security at AP+, explains: "Across Australia, millions of people rely on AP+ to process payments daily—whether that’s paying employees, sending money to friends and family, or settling bills. Because our services play such an important role in our customers’ lives, maintaining public confidence in our services is our number one priority. We manage sensitive personal and financial data on our customers’ behalf and ensuring that all the data we hold is properly governed and protected is a must."
Why Australian Payments Plus (AP+) chose Qualys:
BPAY Group, eftpos and NPP Australia managed sensitive data in isolated, secure environments, performing regular vulnerability management scans to detect potential threats and meet requirements such as the Payment Card Industry Data Security Standard (PCI DSS). This level of diligent security management has continued with AP+, but the new company also aims to respond with greater agility to the impacts of regulatory and technological change—creating new information security requirements.
"To bring innovative products to market and support existing services effectively, we want to empower our people to work in a more collaborative and agile way," continues Cushen. "To achieve that goal, AP+ leverages a much more open IT environment. The aim is to share information rapidly with the people who need it while maintaining tight protection over sensitive data."
With multiple inherited systems to support and secure, the security team at AP+ set out to discover all the assets in its enlarged environment and ensure that the new, unified platform was just as secure as the previous systems.
"We decided that all AP+ environments—from staging upwards—would be monitored, logged, and access controlled," says Cushen. "We also wanted to meet and exceed our regulatory requirements by moving from quarterly scanning to a more frequent, proactive approach."
For more than a decade, BPAY Group relied on the Enterprise TruRisk Platform to protect mission-critical data. When AP+ was founded, the organization decided to build on this success and deployed Qualys VMDR® with integrated apps for asset identification and management, vulnerability management, threat detection and prioritization and response.
"At BPAY Group, we used Qualys to scan the isolated, sensitive areas of our environment—and for AP+, we’ve extended the solution across our entire infrastructure," explains Cushen. "So far, we have deployed Qualys Cloud Agents to more than 2,000 assets, from Windows and iOS laptops to containerized servers on AWS. Every week, we use the solution to scan our entire infrastructure for vulnerabilities and prioritize which issues to remediate first."
Using Qualys VMDR with TruRisk, AP+ can automatically identify high-severity vulnerabilities in its environment, including the latest threats. With TruRisk we get insights into our organization’s unique risk posture to prioritize our most critical vulnerabilities.
"With VMDR, as soon as we detect software deployed on our assets containing a vulnerability of medium or high severity, we promptly create a plan to address the issue and reduce the associated risks," noted Cushen.
Today, lightweight Qualys Cloud Agents are deployed as part of the standard build process for all new on-premises and cloud assets. Insights from the agents allow AP+ to easily identify and remove end-of-life software from its environment and ensures full alignment with the Essential Eight Maturity Model developed by the Australian Cyber Security Centre (ACSC).
"Qualys Cloud Agents provide valuable information about the status of our assets," says Cushen. "From a single point of control, we can see which systems are missing patches or have legacy software installed."
By combining Qualys VMDR and Qualys TotalCloud, AP+ can continuously inventory and monitor its on-premises and public cloud workloads and infrastructure. This capability proved extremely valuable during the merger that created AP+.
"We suddenly had an environment that was much larger and more complex, which meant it was even more important to know what was out there in our estate," says Cushen. "In cloud environments, users can provision new systems with the touch of a button, so it’s vital to have clear visibility. With Qualys TotalCloud, we can continuously discover assets, which helps us to ensure everything is properly governed and protected."
By extending Qualys VMDR across its IT environment, AP+ is achieving its goal of securing the enlarged enterprise against potential threats. Automation from Qualys unlocks valuable efficiencies for the organization’s security personnel, allowing a lean team to protect thousands of assets effectively.
"One of the immediate advantages of implementing Qualys is the efficiency of our asset management process," says Cushen. "Without Qualys VMDR, we would need to manually check each system to report on end-of-life software and hardware. Gaining this insight automatically reduces our workload by around several weeks a year, which means we spend less time on repetitive data-collection and more time on analysis."
Because AP+ plays a vital role in Australia’s payments infrastructure, the organization aims to minimize downtime, thus all maintenance and patching work must be performed to tight deadlines. By utilizing Qualys, the organization gains comprehensive insight into which assets have active vulnerabilities, allowing it to concentrate its maintenance efforts more effectively.
Cushen adds: "The level of clarity we get with Qualys VMDR is especially beneficial when dealing with systems that have very narrow maintenance windows."
By integrating data from the Enterprise TruRisk Platform with Splunk, AP+ offers developers self-service access to vulnerability management insights into software in staging environments. As a result, teams can remediate issues earlier in the development process, contributing to faster releases and greater agility.
"Qualys is an ideal fit for our proactive approach to information security," Cushen comments. "During a recent audit, our auditor couldn’t believe how frequently we were scanning our systems—they’d never encountered an organization of our size that took vulnerability management so seriously. It was gratifying to receive recognition for operating at such a high level of security maturity. Qualys plays a crucial part in helping us maintain those high standards."
AP+ is confident that the Enterprise TruRisk Platform will help protect its payments infrastructure for years to come.
"We re-evaluate our solutions annually to make sure they’re still fit for purpose—and Qualys is one of the only solutions that continues to excel year after year," concludes Cushen. "Qualys is always evolving its offering to meet our needs, and the support we receive is exceptional. Qualys VMDR is so well integrated into our operations that it’s almost part of our DNA. We look forward to working with Qualys to continue to enhance our capabilities."
“Qualys VMDR is so well integrated into our operations that it’s almost part of our DNA—and we look forward to working with Qualys to continue to enhance our capabilities.”
General Manager, Australian Payments Plus
"Automation from Qualys VMDR unlocks valuable efficiencies, allowing our lean security team to protect thousands of assets effectively. Gaining this insight automatically, versus manually, reduces our workload by around several weeks a year, which means we spend less time on repetitive data-collection and more time on analysis."