[ISN] Steak n Shake beefs up security

From: InfoSec News (alerts@private)
Date: Tue May 01 2007 - 02:13:40 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9018289

By Jaikumar Vijayan
April 30, 2007 
Computerworld

Credit card security may not exactly be a top-of-mind item for customers 
dining on steakburgers and milkshakes at any of the 450-odd Steak n 
Shake restaurants scattered around the Midwest and Southeast.

But it has been a priority for the technology organization at the 
Indianapolis-based fast food chain since last August, when the number of 
credit card transactions the company accepts every year crossed the 6 
million mark for the first time.

That number put Steak n Shake into a category of businesses subject to 
the most stringent requirements of a data security standard being pushed 
by major credit card companies such as Visa International, MasterCard 
Worldwide, American Express and Discover.

The standard, known as the Payment Card Industry (PCI) Data Security 
Standard, requires all entities that handle payment cards to implement a 
set of 12 security controls for protecting card data. The measures 
include encryption, periodic network vulnerability scans, logical and 
physical access controls, and activity monitoring and logging. Under 
PCI, companies are classified into four groups depending on the number 
of credit card transactions they handle annually, with Tier 1 being the 
largest. Companies that fail to implement the requirements are subject 
to substantial fines and can even have their right to accept cards 
revoked.

For Steak n Shake, the Tier 1 classification last August had major IT 
implications, said Sean Smith, director of strategic technology services 
at the company. At that time, Steak n Shake had been accepting credit 
and debit cards payments for only about two and a half years and had 
been considered a Tier 4 merchant under PCI.

"We went from ground zero to a Tier 1 in a very short period of time," 
Smith said. In the process, "our PCI requirements and the difficulty of 
attaining them changed by a magnitude of sixfold to tenfold," he said.

Some of the biggest changes had to be made at the store level. For 
instance, the generic usernames and passwords that were used in the past 
by store employees who needed access to point-of-sales (POS) systems 
were replaced with an Active Directory-based unique username and 
password system that could be centrally monitored and managed.

"Most store operations historically have had high [employee] turnover 
rates," so it was easier to have generic usernames and passwords for 
access to POS systems, Smith said. Under PCI, however, "we need to know 
who is accessing what, when and where," he said.

The company also had to roll out tools for centrally managing the assets 
in its stores and for pushing out patches, antivirus updates and other 
software to them. The fast food chain has also put in place capabilities 
for logging and auditing all store-level transactions involving payment 
card data, as required by PCI.

Steak n Shake is in the process of replacing its old VSAT communications 
links with a new T1 network featuring secure point-to-point VPN 
connections tying each store to headquarters. It is also revitalizing 
its perimeter security through the addition of new intrusion prevention 
and detection tools, as well as security event management technology for 
centralized event logging and correlation.

PCI rules prohibit merchants from storing payment card data on any POS 
system, so Steak n Shake is upgrading all POS software systems to 
PCI-certified versions. The company has hired Qualys Inc. to perform 
quarterly vulnerability scans of its network perimeter as required by 
PCI. In addition, the restaurant chain is getting Qualys to perform a 
similar quarterly vulnerability assessment of its internal network to 
mitigate data threats from inside.

Steak n Shake has also started a security awareness campaign designed to 
inform its 22,000 employees of what they can do to protect cardholder 
data. "Technology controls are great, but if people and processes are 
not there," the controls are worthless, he said.

Implementing and demonstrating the controls that are needed in order to 
be PCI-compliant at a Tier 1 level can be challenging, said Terry Ramos, 
director of strategic development at Qualys. That's especially true for 
a company such as Steak n Shake, which as recently as last August was a 
Tier 4 vendor, he said. At the Tier 4 level, PCI requirements are really 
little more than recommended best practices with little or no validation 
requirements, Ramos said. A Tier 1 merchant, on the other hand, has to 
actually follow all of the requirements and then have a third party 
validate compliance, he noted.

It's not just the systems that actually handle credit card data that 
need to be validated; all other network assets that connect to these 
systems have to be checked as well, Ramos said. For large companies with 
legacy environments, such validation can be a huge challenge, he said. 
As a result, many companies are now looking to segment their networks to 
keep payment card processing systems separate from other systems, he 
said.

"The one thing about PCI that is very different [from other standards] 
is that it gives very specific requirements for companies to follow," 
Ramos said. "It gives people a good idea of what they need to do."


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Tue May 01 2007 - 02:23:44 PDT