Restaurant Chain Beefs Up Payment Card Protections

Steak n Shake changes security menu to meet heightened PCI requirements

In the past, credit and debit card security wasnt a huge concern at The Steak n Shake Co., which operates more than 450 restaurants in the Midwest and Southeast. But it has been a top priority for the chains IT organization since last August, when the number of card transactions that Steak n Shake processes annually passed the 6 million mark.

That put the Indianapolis-based chain into the category of businesses that are subject to the most stringent requirements of a data security standard mandated by the major credit card companies.

Moving into the Level 1 classification under the Payment Card Industry (PCI) Data Security Standard had big IT implications for Steak n Shake, said Sean Smith, its director of strategic technology services. The company had been accepting card payments for only about two and a half years, and before August, it was considered a Level 4 merchant the lowest tier on the PCI scale.

Requirements Multiplied

We went from ground zero to Tier 1 in a very short period of time, Smith said. Our PCI requirements and the difficulty of attaining them changed by a magnitude of sixfold to tenfold.

The new card payment security measures at Steak n Shake include a centrally managed username and password system for restaurant employees.

The new card payment security measures at Steak n Shake include a centrally managed username and password system for restaurant employees.

PCI requires all entities that handle payment cards to implement a set of 12 security controls, including data encryption, logical and physical access controls, and activity monitoring and logging. Companies are classified into four groups, depending on the number of card transactions they process annually. Businesses that are in the top group like Steak n Shake are required to undergo quarterly network security scans and an annual on-site security audit.

Some of the biggest changes at Steak n Shake had to be made at the restaurant level. For instance, the generic usernames and passwords used in the past to access point-of-sale systems were replaced by a log-in system based on Active Directory that can be centrally monitored and managed. Under PCI, Smith said, we need to know who is accessing what, when and where.

The company also had to roll out tools for centrally managing the IT assets in its restaurants and pushing out software patches and anti­virus updates to the systems. In addition, Smith said, Steak n Shake can now log and audit all restaurant-level transactions involving payment card data, as required by PCI.

In another facet of the compliance effort, Steak n Shake is replacing its VSAT satellite communications links with a T1 network that will tie each restaurant to headquarters via secure point-to-point virtual private network connections. And to better secure its network perimeter, the chain is adding intrusion-prevention and -detection tools, plus security event management technology with centralized logging and correlation.

Smith declined to disclose what the security upgrades are costing Steak n Shake, which has hired Qualys Inc. to do the required quarterly vulnerability scans of its network perimeter. Qualys will also conduct similar assessments of its internal network to help mitigate potential security threats from insiders.

Implementing and demonstrating the controls needed to comply with PCI at Level 1 can be challenging, said Terry Ramos, director of strategic development at Redwood Shores, Calif.-based Qualys. Thats especially true for a company like Steak n Shake, whose compliance level has abruptly changed, Ramos said. He noted that at Level 4, the PCI mandates are little more than best practices, with no specified validation requirements.

Getting reclassified on the PCI scale can often be a rude awakening for organizations, said Chris Noell, president of TruComply, an Austin-based consulting firm that focuses on the payment card industry. Level 4 companies, he added, are rarely aware of their compliance obligation, much less doing anything about it.

The difference can be like night and day, agreed Gartner Inc. analyst Avivah Litan. Level 1s come under a much bigger magnifying glass.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon