Case Studies: Retail
Retail
|
 |
|
||||||||||
Situation
Our client, a large national retail chain with more than 6,000 locations in the U.S., was concerned with PCI compliance and was faced with two challenges:
- Electronic communications were being transmitted unencrypted from a centralized helpdesk to devices at each remote location. This presented a serious security concern because the store devices could contain sensitive and confidential cardholder data; and
- Auditors were unable to monitor and track all the activity of users who had access to the devices from which this data was transmitted. The company was facing a significant development effort in order to build a solution that would achieve the goal of tracking and monitoring each user accessing in-store devices. In fact, this company was not confident they could develop an adequate system for tracking and monitoring that would comply with Requirement 10 of the PCI Standard.
Management had made the decision to discontinue use of telnet to transmit information, and needed a communications solution that was PCI compliant.
Our Challenge
Xceedium was tasked with securing the information being transmitted electronically each day from their centralized helpdesk to devices in each of the client's more than 6,000 locations, to prevent a potentially devastating leak of sensitive customer credit card data. Although data was transmitted over a private, rather than an "open" network, we were challenged to encrypt transmission of cardholder data to provide an extra measure of protection. We also needed to very quickly bring our client into compliance with key PCI Data Security Standards, particularly Requirement #10, to track and monitor all access to network resources.
The Xceedium Solution
Each of the stores was connected back to the data center in a hub and spoke design, so Xceedium installed a cluster of six GateKeepers in their corporate data center to address the compliance and performance requirements of this very large chain, as well as provide failover and load balancing. The number of Gatekeepers was determined based on the maximum number of user sessions that could be required at any one time. This was in turn determined based on a total user community of 500, with a maximum of 100 users potentially active at any one time, and each user averaging 6 active sessions.This solution has enabled our client to stop using Telnet for access to the devices in each store. As a result, the client is no longer concerned about the security gap and non-compliance that existed previously, when data was transmitted unencrypted across the network from each store to the corporate office, and there was no reliable monitoring of user access to the IT infrastructure. This solution also aids in achieving Requirement # 7 of the PCI standard, which requires limiting user access to devices by individual role.
Business Benefits
PCI Compliance is a requirement of the retailer's contract with the credit card companies. If a retailer is not compliant with all PCI regulations, it is in violation of this contract. The credit card companies can take the following actions if a retailer does not abide by the security standards.
- Visa alone may charge a company up to $500,000 per incident if their network and the consumer information are compromised.
- The company may be banned from allowing customers to use credit cards issued by the company – potentially crippling in today's retail environment.
- If the company even suspects that consumer information may have been compromised, and does not notify the credit card companies of probable or actual violations or thefts of our customers' information, it will also be fined an additional amount. Again, Visa can assess fines of as much as $100,000 per incident.
- Other fines, including monthly fines for non-compliance, may be charged if the credit card company feels that a company's violations pose a risk to the credit card company and/or its members.
Given the size of our client's business – number of locations, customers, transactions per location, etc. – non-compliance for even a short period of time could result in fines that are staggering – hundreds of millions of dollars or more. Xceedium's GateKeeper solution was also much more cost-effective than replacing legacy POS and other IT infrastructure in 6,000+ locations, also saving millions of dollars for this client.