[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Steak n Shake beefs up security
By Jaikumar Vijayan
April 30, 2007
Credit card security may not exactly be a top-of-mind item for customers
dining on steakburgers and milkshakes at any of the 450-odd Steak n
Shake restaurants scattered around the Midwest and Southeast.
But it has been a priority for the technology organization at the
Indianapolis-based fast food chain since last August, when the number of
credit card transactions the company accepts every year crossed the 6
million mark for the first time.
That number put Steak n Shake into a category of businesses subject to
the most stringent requirements of a data security standard being pushed
by major credit card companies such as Visa International, MasterCard
Worldwide, American Express and Discover.
The standard, known as the Payment Card Industry (PCI) Data Security
Standard, requires all entities that handle payment cards to implement a
set of 12 security controls for protecting card data. The measures
include encryption, periodic network vulnerability scans, logical and
physical access controls, and activity monitoring and logging. Under
PCI, companies are classified into four groups depending on the number
of credit card transactions they handle annually, with Tier 1 being the
largest. Companies that fail to implement the requirements are subject
to substantial fines and can even have their right to accept cards
For Steak n Shake, the Tier 1 classification last August had major IT
implications, said Sean Smith, director of strategic technology services
at the company. At that time, Steak n Shake had been accepting credit
and debit cards payments for only about two and a half years and had
been considered a Tier 4 merchant under PCI.
"We went from ground zero to a Tier 1 in a very short period of time,"
Smith said. In the process, "our PCI requirements and the difficulty of
attaining them changed by a magnitude of sixfold to tenfold," he said.
Some of the biggest changes had to be made at the store level. For
instance, the generic usernames and passwords that were used in the past
by store employees who needed access to point-of-sales (POS) systems
were replaced with an Active Directory-based unique username and
password system that could be centrally monitored and managed.
"Most store operations historically have had high [employee] turnover
rates," so it was easier to have generic usernames and passwords for
access to POS systems, Smith said. Under PCI, however, "we need to know
who is accessing what, when and where," he said.
The company also had to roll out tools for centrally managing the assets
in its stores and for pushing out patches, antivirus updates and other
software to them. The fast food chain has also put in place capabilities
for logging and auditing all store-level transactions involving payment
card data, as required by PCI.
Steak n Shake is in the process of replacing its old VSAT communications
links with a new T1 network featuring secure point-to-point VPN
connections tying each store to headquarters. It is also revitalizing
its perimeter security through the addition of new intrusion prevention
and detection tools, as well as security event management technology for
centralized event logging and correlation.
PCI rules prohibit merchants from storing payment card data on any POS
system, so Steak n Shake is upgrading all POS software systems to
PCI-certified versions. The company has hired Qualys Inc. to perform
quarterly vulnerability scans of its network perimeter as required by
PCI. In addition, the restaurant chain is getting Qualys to perform a
similar quarterly vulnerability assessment of its internal network to
mitigate data threats from inside.
Steak n Shake has also started a security awareness campaign designed to
inform its 22,000 employees of what they can do to protect cardholder
data. "Technology controls are great, but if people and processes are
not there," the controls are worthless, he said.
Implementing and demonstrating the controls that are needed in order to
be PCI-compliant at a Tier 1 level can be challenging, said Terry Ramos,
director of strategic development at Qualys. That's especially true for
a company such as Steak n Shake, which as recently as last August was a
Tier 4 vendor, he said. At the Tier 4 level, PCI requirements are really
little more than recommended best practices with little or no validation
requirements, Ramos said. A Tier 1 merchant, on the other hand, has to
actually follow all of the requirements and then have a third party
validate compliance, he noted.
It's not just the systems that actually handle credit card data that
need to be validated; all other network assets that connect to these
systems have to be checked as well, Ramos said. For large companies with
legacy environments, such validation can be a huge challenge, he said.
As a result, many companies are now looking to segment their networks to
keep payment card processing systems separate from other systems, he
"The one thing about PCI that is very different [from other standards]
is that it gives very specific requirements for companies to follow,"
Ramos said. "It gives people a good idea of what they need to do."
Subscribe to InfoSec News