Tuesday, May 8, 2007

IDentiWall is poised to resolve the credit card payment security

Restaurant Chain Beefs Up Payment Card Protections

Jaikumar Vijayan


May 07, 2007 (Computerworld) In the past, credit and debit card security wasn’t a huge concern at The Steak n Shake Co., which operates more than 450 restaurants in the Midwest and Southeast. But it has been a top priority for the chain’s IT organization since last August, when the number of card transactions that Steak n Shake processes annually passed the 6 million mark.

That put the Indianapolis-based chain into the category of businesses that are subject to the most stringent requirements of a data security standard mandated by the major credit card companies.

Moving into the Level 1 classification under the Payment Card Industry (PCI) Data Security Standard had big IT implications for Steak n Shake, said Sean Smith, its director of strategic technology services. The company had been accepting card payments for only about two and a half years, and before August, it was considered a Level 4 merchant — the lowest tier on the PCI scale.

Requirements Multiplied

“We went from ground zero to Tier 1 in a very short period of time,” Smith said. “Our PCI requirements and the difficulty of attaining them changed by a magnitude of sixfold to tenfold.”

PCI requires all entities that handle payment cards to implement a set of 12 security controls, including data encryption, logical and physical access controls, and activity monitoring and logging. Companies are classified into four groups, depending on the number of card transactions they process annually. Businesses that are in the top group like Steak n Shake are required to undergo quarterly network security scans and an annual on-site security audit.

Some of the biggest changes at Steak n Shake had to be made at the restaurant level. For instance, the generic usernames and passwords used in the past to access point-of-sale systems were replaced by a log-in system based on Active Directory that can be centrally monitored and managed. Under PCI, Smith said, “we need to know who is accessing what, when and where.”

The company also had to roll out tools for centrally managing the IT assets in its restaurants and pushing out software patches and anti­virus updates to the systems. In addition, Smith said, Steak n Shake can now log and audit all restaurant-level transactions involving payment card data, as required by PCI.

In another facet of the compliance effort, Steak n Shake is replacing its VSAT satellite communications links with a T1 network that will tie each restaurant to headquarters via secure point-to-point virtual private network connections. And to better secure its network perimeter, the chain is adding intrusion-prevention and -detection tools, plus security event management technology with centralized logging and correlation.

Smith declined to disclose what the security upgrades are costing Steak n Shake, which has hired Qualys Inc. to do the required quarterly vulnerability scans of its network perimeter. Qualys will also conduct similar assessments of its internal network to help mitigate potential security threats from insiders.

Implementing and demonstrating the controls needed to comply with PCI at Level 1 can be challenging, said Terry Ramos, director of strategic development at Redwood Shores, Calif.-based Qualys. That’s especially true for a company like Steak n Shake, whose compliance level has abruptly changed, Ramos said. He noted that at Level 4, the PCI mandates are little more than best practices, with no specified validation requirements.

Getting reclassified on the PCI scale “can often be a rude awakening for organizations,” said Chris Noell, president of TruComply, an Austin-based consulting firm that focuses on the payment card industry. Level 4 companies, he added, “are rarely aware of their compliance obligation, much less doing anything about it.”

“The difference can be like night and day,” agreed Gartner Inc. analyst Avivah Litan. “Level 1’s come under a much bigger magnifying glass.”

Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc