Call Us Today! 636-557-7777  |  Get started now! |       STAY RESILIENT®

Retail 2013: Using retail systems management to maintain data security and PCI compliance

Complementing the data security framework with a single retail systems management solution streamlines the entire retail operation through centralized management. You will eliminate duplicated efforts and always be prepared to fix problems quickly.

PCI compliance is a serious business. Retailers that do business in the U.S. must prove to security auditors and credit card companies that they are taking steps to reasonably protect customers’ financial and personally identifiable information. Unfortunately, proving compliance is often a complex, costly and time-consuming task that puts a lot of burden on retailers’ infrastructure and IT operations.

A Retailer in Trouble
Omega ATC understands these pressures very well. We work with retailers of all sizes from all over the country to secure customer information to help them meet and prove PCI compliance.

Recently, Omega ATC was involved with a large retailer with 150 stores and gas stations across the Eastern U.S. As a Level 2 retailer, the company processes several million credit card transactions per year. As part of its Data Security Operating Policy (DSOP) compliance program, American Express asked the company to submit to an IT infrastructure security audit conducted by a Qualified Security Assessor (QSA) firm. Unfortunately, the retailer failed the audit with 68 gaps and was given a few months to address and correct the issues of non-compliance. The acquiring bank notified Visa and MasterCard that this retailer had failed a PCI audit.

Over the next several months, the retailer worked with Omega to close the gaps in its compliance checklist. The rapid response from Omega ATC surely required considerable effort on everyone’s part and a sound project management process.

Retail Data Security Challenges and Expectations
The first step is recognizing the unique security and compliance challenges that retail organizations face. Operations are likely spread across a geographic region or around the world, and data is created and accessed on the edge of the network in the form of credit card transactions. At the same time, this decentralized infrastructure is likely managed by separate IT groups who then have to work with the IT Data Security team to resolve issues—an extremely inefficient security strategy.

Margins in the retail industry can be razor thin; making the fines associated with non-compliance a big deal. VISA fines its retailers a minimum of $5,000 each month of non-compliance while AMEX fines start at $50,000. Actual data compromises result in much higher fines and can be levied individually by each card company. International card companies can also fine retailers, and state governments are starting to levy heavy fines as well. Criminal non-compliance can result in the retailer being dropped from the card company’s network.

The second step is to understand what is expected of the retailer by regulators, auditors and the credit card companies. All Level 1 and Level 2 merchants have to undergo regular audits, penetration tests and demonstrate that data is safe from malicious attacks. While critical to maintaining compliance, these tests can be disruptive, costly and time-consuming. Retailers also need to have an incidence response plan that shows the organization is able to quickly identify breaches and remediate them efficiently. In addition, the plan needs to outline the steps the retailer would take to contain the breach and identify why the breach occurred.

Using IT systems management to complement data security efforts
Omega ATC recommends that retailers use a systems management solution to complement data security and compliance efforts. It will create a consolidated solution that is able to identify, contain, remediate and report security status and breaches. Systems management solutions when combined with data security components, can identify missing patches and expired antivirus files, identify anomalies in event logs, scan for internal vulnerabilities, detect wireless intrusions and monitor for file integrity.

Using a single pane of glass, administrators will be able to streamline security management, remediate issues quickly, reduce duplicated efforts, control costs, minimize user disruption and document efforts through central reporting. This way, retailers can manage the total environment from POS systems, in-store servers and mobile devices to back office infrastructure and network components.

Here are 10 ways IT systems management and data security intersect:

  1. Apply OS security patches to bring systems up to date
  2. Update software consistently on all systems
  3. Create automated procedures to fix security issues
  4. Monitor systems in real-time for “exceptions”
  5. Monitor suspicious bandwidth spikes
  6. Capture detailed logs with filters to isolate critical issues
  7. Send alerts to multiple people depending on roles
  8. Run file integrity monitoring
  9. Create custom reports to satisfy internal policies and external auditors
  10. Manage endpoint security

Measuring Success
Within months of engaging with Omega ATC, the large East Coast retailer was able to close all 68 gaps in its compliance status and was reapproved by Trustwave. The credit card companies were satisfied that their customers’ financial and PII data were safe, and normal operations commenced without disruption.

As a result of the Omega ATC engagement and by following our advice, many of the Retailer’s compliance issues disappeared and the entire environment and POS systems were running optimally. At the same time, the retailer was able to eliminate some of the manual tasks that sapped the IT teams’ time and resources. Above all, the retailer’s data security and PCI compliance strategies grew more robust and partnerships with the credit card companies were preserved.

Call us. We can help you. Phone: 636-557-7777, email