Follett protects customer data and complies with PCI DSS with nCipher

The Follett Higher Education Group uses nCipher Security products and services to protect credit card data from breaches and comply with PCI DSS.


Beginning as a small book store in 1873, the Follett Corporation has grown to become one of the cornerstones of the educational system within the United States. The Follett Higher Education Group (FHEG) sells more than 20 million textbooks annually in stores and online, and it operates more than 700 campus book stores for colleges and universities. For every transaction the company protects its customers’ personal data from breaches while easily and cost effectively complying with the Payment Card Industry Data Security Standard (PCI DSS).


Since it began operating stores and taking credit cards, FHEG has taken protecting its customers’ privacy seriously. To protect customer data the company has a longstanding practice of encrypting customer payment data. Encrypting data and subsequently decrypting data required following and documenting a time-consuming manual encryption key management and storage procedure, as required by PCI DSS 3.6.3. FHEG also needed to rotate encryption keys (replacing old keys with new ones, as required by PCI DSS requirement 3.6.4) at least once a year, which it did manually. FHEG found that its key management process was becoming too inefficient and labour-intensive. The company decided to transition to using hardware security modules (HSMs) from nCipher’s product line instead of manually tracking encryption keys.

“nCipher HSMs provide a secure environment for managing and storing the encryption keys that protect customer data,” says Terry Mainiero, FHEG’s director of store systems. “We wanted to use nCipher HSMs as the basis for an efficient, cost-effective, and PCI DSS compliant key management process.”


After deciding to implement an HSM, FHEG evaluated a number of the options on the market. The company found that while all HSMs provide security, nCipher HSMs also delivered ease of use and flexibility. Irwin Gafen, director of wholesale and distribution systems at FHEG, explains, “nCipher helped us to understand our choices for encryption, and to deploy a simple, secure, and compliant solution to replace our manual key management processes.”

“We needed an HSM that was flexible enough to fit into our environment without disruption while making our key management more automated,” says Mr. Mainiero. “nCipher met our needs perfectly. Our nCipher HSMs protect our encryption keys, safeguarding customer data from breaches. Just as importantly, it helped make achieving PCI DSS compliance far easier and more cost-effective.”


  • Making PCI DSS audit reviews easier and more efficient
  • Managing encryption keys faster and more costeffectively
  • Protecting customers and the business from fraud
  • Reducing the risk of data breaches


With nCipher HSMs, FHEG has replaced inefficient manual processes with a largely automated key storage and generation process. The nCipher HSM is deployed in a server that safely distributes encryption keys to the company’s e-commerce and point of sale systems. When the company rotates existing encryption keys, as required under PCI DSS, the process takes a fraction of the time it took with manual processes. That’s because the process is now largely automated, making PCI DSS audit reviews easier and more efficient.

“Rotating to new encryption keys is very fast. So if the PCI DSS were to require more frequent key changes, it wouldn’t be a problem for us,” notes Mr Mainiero.


To implement its new PCI DSS compliant key management solution, FHEG turned to nCipher Advanced Solutions Group (ASG). The team began by working with the company to understand their current processes and environment. They also reviewed the company’s security procedures, policies, and systems. The team then developed an implementation plan that fully supported FHEG’s needs and continued PCI DSS compliance.

“It was a pleasure to work with nCipher” says Mr. Gafen. “They took the time to listen to our needs and understand our systems and processes. They designed and implemented an effective solution. The whole project was on-time, on-budget, and bug-free.”

Mr. Gafen adds, “Encryption is highly complex, and getting it right requires expertise. nCipher Professional Services has that expertise and makes very practical recommendations. They brought specialist knowledge to the project, which allowed our team to stay focused on our business needs.”


Headquartered in River Grove, Illinois, the Follett Corporation is a privately held, $2.3 billion company. It is the largest provider of library materials and technology to K-12 schools in the United States, and the nation’s leading campus book store operator.

Recent milestones for Follett Higher Education Group include:

  • Operating more than 700 college book stores
  • Stocking over 100,000 titles
  • Selling more than 20 million textbooks annually
  • Serving more than 700 campuses with online textbook sales

To learn more about the Follett Corporation, visit For more information about nCipher’s product line and services, visit


With effective encryption and key management FHEG is confident that its customers’ personal data is secure. This not only protects customers, it also protects the company from the bad publicity and costs that can result if credit card data is compromised.

“With nCipher, no one can access our encryption keys,” says Mr. Gafen. “Our keys are safe from internal and external tampering, safeguarding our encrypted data against theft or manipulation. Our customers’ personal data is protected, and we are protected from the potentially high costs of compromised data.”


Today’s fast moving digital environment enhances customer satisfaction, gives competitive advantage and improves operational efficiency. It also multiplies the security risks. nCipher Security empowers world-leading organizations by delivering trust, integrity and control to their business critical information and applications.

Our cryptographic solutions secure emerging technologies – cloud, IoT, blockchain, digital payments – and help meet new compliance mandates, using the same proven technology that global organizations depend on today to protect against threats to their sensitive data, network communications and enterprise infrastructure. We deliver trust for your business critical applications, ensuring the integrity of your data and putting you in complete control – today, tomorrow, at all times.

To find out more how nCipher Security can deliver trust, integrity and control to your business critical information and applications, visit