Staying Ahead of the PCI Game

As retailers work hard to stay ahead of Payment Card Industry Data Security Standard compliance mandates, their efforts are constantly being tested as new requirements are put into effect. At the same time, chains are consumed with protecting sensitive customer data and staying abreast of any potential exposure points or potential breaches—processes that force them to continually test the integrity of Web-based customer-facing applications, internal databases, networks, firewalls, and even store-level hardware and front-end peripherals.

The newest issue affecting retailer PCI efforts revolves around Section 10 of the standards, which requires that companies track and monitor all access to cardholder data. For most chains, this means they must audit all users with data access, and protect all data logs from intentional modification or tampering.

This created a challenge for Wilsons Leather, a specialty apparel and accessories retailer that is supported by a small 11-person IT team.

“We are not a huge IT shop, so we wear many hats—one of them being the support team of PCI compliance,” explained Frank Carrigan, manager of production control, Wilsons Leather, Brooklyn Park, Minn., which operates Wilsons Leather Outlet stores and also sells via its e-commerce site. “Due to the size of our staff, it was impossible to dedicate the resources needed to perform these manual reviews.”

The mandate really began taking its toll as the chain’s IT team began reacting to events and searching for system logs after realizing an issue had occurred. How ever, the debut of SOX Section 404 (SOX404) pushed the chain toward a change.

SOX404 requires all publicly held companies to establish internal controls and procedures for financial reporting, and these operations must be documented, tested and maintained. The goal of these reporting processes is to reduce fraud.

“Since these rules are more subjective to what auditing firms consider ‘mandatory,’ it was important that we establish these controls,” Carrigan explained. “This, combined with PCI changes that have caused reporting rules to become much more rigid, allowed for a very small margin of error.”

The margin is so small that Wilsons researched the value of security-information and event-management (SIEM) software.

SIEM software delivers real-time monitoring and historical reporting of security events from internal networks, systems and business applications. For Wilsons, the ideal SIEM application had to monitor network activity stemming from anything with an IP address, “and take action when there is a risk detected,” Carrign explained. “We realized it was an efficient way to search through detailed log data easily and generate reports based on established best practices.”

Besides helping the chain achieve PCI compliance, the new solution needed to be easy to implement and manageable without expanding its IT team. It also had to fit Wilsons’ overall PCI project budget—something that unexpectedly grows for some chains.

The retailer found its answer in the TriGeo SIM solution, from Post Falls, Idaho-based TriGeo Network Security. The server appliance sits on the company’s network and pulls all data streams that cross the network into a dedicated storage device.

TriGeo automatically analyzes the data and generates electronic reports that share an enterprise-wide visibility into everything occurring on the Wilsons network, allowing it to maintain and defend data.

“TriGeo makes my job easier by acting as an extra IT employee that never sleeps and takes the right action to protect my network every time,” Carrigan said.

Since adding the solution in February 2008, Wilsons is meeting PCI data security requirements. The system has also improved Wilsons IT security, according to Carrigan.

“We estimate it would require at least one additional fulltime network services employee to do what the solution manages,” he said. “The average annual salary for this employee would be $80,000. By using the solution, we are saving this capital annually, and we have n’t missed a single event.”

Wilsons also monitors Universal Serial Bus device usage across the network. (Portable USB flash drives, which can store data files, are removable and rewritable—a dangerous tool in the hands of a dishonest employee.) The vendor offers a USB Defender application, which prevents employees from using these devices, but Wilsons has not yet added the solution.