De-Tangling Security

As more clients use credit and loyalty cards during their salon visits, Regis Salons is managing more personal data than ever before. This also prompted the company’s move to protect this sensitive information as it travels over its communications network.

Minneapolis-based Regis Salons, which is owned by Regis Corp., has more than 9,500 salons (6,500 salons are corporate-owned) across North America. The company clipped its way to $2.62 billion in sales for its fiscal year 2006, which ended in June.

Regis is eyeing opportunities presented by more Internet-based connectivity available through public networks, yet the company currently operates its network with “old-fashioned asynchronous dialup,” Bernie Rominski, IT security officer, told Chain Store Age.

Since the company is not likely to switch its infrastructure in the near future, according to Rominski, Regis did want to further protect its existing network—and a new flow of incoming customer information.

For example, approximately a year ago the chain launched a loyalty program. The proliferation of credit-card usage at salons is also impacting the company.

Besides having no encryption capabilities in place, Regis’ dial-up networks “had weaker security controls than we wanted,” he explained. “This became more of an issue as card information is leveraged by our back-end systems.”

Once credit-card information is collected at the point of sale and transmitted to a corporate database, for example, Regis’ loss-prevention system will analyze transactions to detect incidents of credit-card fraud or misuse across its enterprise.

Even though the company truncated all but the last four digits of a credit card, “We found that truncated card numbers resulted in too many false matches,” Rominski said. “We needed a way to perform this analysis using unique identifiers in place of account numbers. This would improve the accuracy of our reporting and still protect the customer’s credit-card information.”

And efforts couldn’t start soon enough. In late 2005 and early 2006, information breaches were becoming a common occurrence across the retail industry, and mandates, including the PCI (Payment Card Industry) requirement, were steadily being announced.

“Due to the risks, we started searching for a solution that would limit the exposure of our sensitive data and reduce the risk of potential incidents,” he noted.

In spring 2006, the company canvassed the marketplace for a solution that would support secure communications and data encryption. The solution also had to integrate with Regis’ IBM-based iSeries platform, a family of mid-range servers that runs a variety of operating systems.

By choosing a solution from Atlanta-based nuBridges, Regis can run secure transactions without leaving private keys and data vulnerable to hackers.

Regis began adding the solution in October. Its first task was to convert workstation payment applications. “This application collects customer information at the point of sale and transmits data to the back end,” he said.

Next, the team converted peripheral applications that are linked to the sales database. “This included solutions like customer relations that enable associates to look up transactions, or resolve customer complaints, discrepancies or refunds,” he said.

Now as customers pay with a credit card, information is encrypted as the transaction is input to the POS. Regis polls its stores each evening, and iSeries delivers data to the centralized database. Here, nuBridges analyzes the ciphertext to retrieve the correct secret-encryption keys to decrypt the data.

“At that point, the credit-card information is re-encrypted, and nuBridges supplies the safe index number we use to feed the subordinate systems. This limits the storage of actual account numbers in that single location,” Rominski reported.

Regis is still piloting applications and planning its store-level deployment. To date, POS units at 1,000 locations are prepared for the upcoming PCI mandate, and the solution should be live enterprise-wide by the end of the year.