Plug-and-Play PCI Security
It’s the headline no retailer wants to see: a massive breach involving shoppers’ personal data. And yet despite increased efforts, these breaches keep happening – millions of data files full of personal information have been breached, and the causes are many: unintended disclosure, hacking or malware, payment card fraud, dishonest employees or contractors and lost documents or storage devices.
Are crooks getting smarter or are retailers not taking enough precautions?
“I definitely think it’s both,” suggests Cliff Duffey, president and CEO of network security service provider Cybera. “Criminal techniques are an ongoing evolution. They are always looking for new ways to get cardholder information. But it is also a constant challenge for retailers to upgrade their systems to deal with new threats.”
There is also the very practical need to be PCI DSS compliant for retailers who value their ability to accept and process customer payment cards — and to avoid litigation fees, the costs associated with informing customers of a breach and the high cost of a tarnished brand.
Most breaches take place at the store, in one form or another, Duffey reports, not necessarily in transmission but by card skimming or from cardholder information that is not stored appropriately.
“In our experience, the risk on a per-swipe basis is relatively low, but I think the frequency of card breaches seems to be slightly more common than other types of breaches in part because of an open market for the data,” he says. “There is a marketable value on cards.”
Cybera senior vice president of marketing and strategy Dan Glennon notes that, in addition to physical breaches, the network can also be vulnerable because it can provide access to all that data.
Tackling the challenge
Boise, Idaho-based Stinker Stores, a chain of 67 convenience stores offering eco-friendly green fuels, began working with Cybera in 2010.
“I was looking for someone to get in the PCI ring with us,” says Stinker IT manager Cory Mooney. “We had already implemented a solution to address PCI [security] that was quickly becoming non-compliant — like our ability to scan for rogue wireless devices. Before Cybera ONE, we were using a firewall. We did some segmentation on that device, but our first implementation in regards to PCI was in February of 2008. It was more of a homegrown solution. We were rather early adopters to PCI because nobody was segmenting the way I initially wanted.”
The Cybera ONE platform bundles multiple security features and functions — which could be expensive if each were purchased separately from several vendors — under a single, affordable solution.
Durango, Colo.-based Rocky Mountain Chocolate Factory, a franchisor with 368 stores in 40 states, installed Cybera ONE in all company-owned stores in 2009. Based on its recommendation, some 40 franchisees followed suit, with more to follow this year. In addition, several of the company’s Aspen Leaf Yogurt stores have installed the same system.
Prior to the Cybera ONE installation, the company lacked a PCI security system; the management team, however, recognized the need to be PCI-compliant.
“We didn’t have specific weaknesses in our retail environment, but we wanted to incorporate a turnkey solution for PCI DSS compliance in our operating system,” says William Key Jobson, CIO for Rocky Mountain Chocolate Factory. “The system gives us much better visibility to the security environment in those geographically diverse stores than we had before. The Cybera ONE system is delivering the protection we were looking for.”
Costs and installation
Cybera does “a very good job ... in one integrated solution” covering firewall, Wi-Fi security, Wi-Fi services, wireless scanning, intrusion protection and prevention, content filtering and security event management, Duffey says. “We can pull the log data off the POS to see if a hacker or employee has done something. We provide a Virtual Private Network, and we also do a 3G wireless backup connection. We go in with a single piece of equipment, one simple appliance that is hosted in the cloud.”
The result of this bundling of features and functions, Duffey says, allows Cybera to offer a comprehensive solution for roughly one-fifth the cost of some other systems. “On a per-store basis, we are seeing retailers spend $2,000 to $3,000 per year on software, hardware and systems integration people, while our plug-and-play solution is a single appliance costing $500,” he says.
“Almost 90 percent of our installs are done by store personnel, and the actual installation time is less than 30 minutes,” Duffey says. “Our system is designed so that we can ship a box to the store, with store personnel plugging in the appliance. That appliance then calls into the data system. It’s all done automatically.”
Mooney agrees that “installation is definitely simple and uncomplicated. We spent some time working out our customer configuration — after that it was just plug-and-play. We recently acquired 14 new locations and for them I filled out one form regarding our IP configurations. The appliances were delivered the following week and the installs went just as expected.”
Jobson also cites quick, uncomplicated installation as having been “key in our selection of Cybera. They would be working with individual franchisees with limited IT knowledge, and they delivered on their promise with an installation process that took just hours. The key to our success with Cybera ONE is the turnkey approach to delivery.”