For Alan Atwood, vice president of Payless Grocers, Coeburn, Va., a firewall system installed in February means not only PCI compliance, but peace of mind.
While on vacation recently, he received an email alert on his BlackBerry saying the firewall was down at one of his three locations due to an electrical storm, causing credit-card processing to go offline. Shortly thereafter, another email came reporting that the firewall was back up.
“I was 700 miles away, but I was kept in the loop on anything that happened with my firewall,” he said.
As the retail industry grapples with a rising tide of data security threats and breaches, and reevaluates whether the PCI (Payment Card Industry) Data Security Standard needs to include new technologies like end-to-end encryption and tokenization, retailers are turning to a variety of more common systems and processes to secure their card transactions and data.
Payless is using a firewall-based security system from Secure Designs Inc. (SDI), Greensboro, N.C. For a fixed monthly fee, SDI manages, monitors and reports on all aspects of Payless' internal payment network. “The firewall keeps everything out,” such as spyware and viruses, said Atwood. Even for routine maintenance, he calls SDI to provide permission to open up the network ports.
The biggest challenge, Atwood said, was securing the communications from gas pumps at his Coeburn store, which also offers a gas loyalty program.
Payless also recently upgraded its POS system to an IBM SurePOS platform and a VeriFone payment terminal that is PCI PED compliant.
Bozzuto's, a wholesaler based in Cheshire, Conn., uses several data security strategies to protect its eight corporate stores that operate as Adams Super Food Stores, and keep them PCI compliant. It also makes these strategies available to the independent retailers it supports.
“The No. 1 area at the POS is making sure the payment card device itself is tamper resistant,” said Steve Methvin, vice president of retail technologies and ecommerce systems for Bozzuto's. Over the past two years, Bozzuto's has favored secure terminals from VeriFone and Hypercom. “Both become inoperative if anything other than normal transactions takes place,” he said.
Bozzuto's carefully manages the maintenance of the terminals so that only authorized personnel are given access to them. The wholesaler is also scrupulous about who is allowed into the rooms housing POS servers. “We have them in a secure location and monitor them with video cameras.”
Bozzuto's also employs network segmentation to ensure that its store payment system is “hidden from the rest of the network,” said Methvin.