Steak n Shake beefs up security

It's made changes to meet the stringent Payment Card Industry standard

Credit card security may not exactly be a top-of-mind item for customers dining on steakburgers and milkshakes at any of the 450-odd Steak n Shake restaurants scattered around the Midwest and Southeast.

But it has been a priority for the technology organization at the Indianapolis-based fast food chain since last August, when the number of credit card transactions the company accepts every year crossed the 6 million mark for the first time.

That number put Steak n Shake into a category of businesses subject to the most stringent requirements of a data security standard being pushed by major credit card companies such as Visa International, MasterCard Worldwide, American Express and Discover.

The standard, known as the Payment Card Industry (PCI) Data Security Standard, requires all entities that handle payment cards to implement a set of 12 security controls for protecting card data. The measures include encryption, periodic network vulnerability scans, logical and physical access controls, and activity monitoring and logging. Under PCI, companies are classified into four groups depending on the number of credit card transactions they handle annually, with Tier 1 being the largest. Companies that fail to implement the requirements are subject to substantial fines and can even have their right to accept cards revoked.

For Steak n Shake, the Tier 1 classification last August had major IT implications, said Sean Smith, director of strategic technology services at the company. At that time, Steak n Shake had been accepting credit and debit cards payments for only about two and a half years and had been considered a Tier 4 merchant under PCI.

"We went from ground zero to a Tier 1 in a very short period of time," Smith said. In the process, "our PCI requirements and the difficulty of attaining them changed by a magnitude of sixfold to tenfold," he said.

Some of the biggest changes had to be made at the store level. For instance, the generic usernames and passwords that were used in the past by store employees who needed access to point-of-sales (POS) systems were replaced with an Active Directory-based unique username and password system that could be centrally monitored and managed.

"Most store operations historically have had high [employee] turnover rates," so it was easier to have generic usernames and passwords for access to POS systems, Smith said. Under PCI, however, "we need to know who is accessing what, when and where," he said.

The company also had to roll out tools for centrally managing the assets in its stores and for pushing out patches, antivirus updates and other software to them. The fast food chain has also put in place capabilities for logging and auditing all store-level transactions involving payment card data, as required by PCI.

Steak n Shake is in the process of replacing its old VSAT communications links with a new T1 network featuring secure point-to-point VPN connections tying each store to headquarters. It is also revitalizing its perimeter security through the addition of new intrusion prevention and detection tools, as well as security event management technology for centralized event logging and correlation.

PCI rules prohibit merchants from storing payment card data on any POS system, so Steak n Shake is upgrading all POS software systems to PCI-certified versions. The company has hired Qualys Inc. to perform quarterly vulnerability scans of its network perimeter as required by PCI. In addition, the restaurant chain is getting Qualys to perform a similar quarterly vulnerability assessment of its internal network to mitigate data threats from inside.

Steak n Shake has also started a security awareness campaign designed to inform its 22,000 employees of what they can do to protect cardholder data. "Technology controls are great, but if people and processes are not there," the controls are worthless, he said.

Implementing and demonstrating the controls that are needed in order to be PCI-compliant at a Tier 1 level can be challenging, said Terry Ramos, director of strategic development at Qualys. That's especially true for a company such as Steak n Shake, which as recently as last August was a Tier 4 vendor, he said. At the Tier 4 level, PCI requirements are really little more than recommended best practices with little or no validation requirements, Ramos said. A Tier 1 merchant, on the other hand, has to actually follow all of the requirements and then have a third party validate compliance, he noted.

It's not just the systems that actually handle credit card data that need to be validated; all other network assets that connect to these systems have to be checked as well, Ramos said. For large companies with legacy environments, such validation can be a huge challenge, he said. As a result, many companies are now looking to segment their networks to keep payment card processing systems separate from other systems, he said.

"The one thing about PCI that is very different [from other standards] is that it gives very specific requirements for companies to follow," Ramos said. "It gives people a good idea of what they need to do."

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon