The leadership team at McIndy Ventures, LLC
, faced a challenge when seeking to achieve PCI compliance at all 15 McAlister’s Deli
franchise locations in Indiana. The biggest obstacles were the same as many merchants have; understanding all of the PCI DSS requirements and determining what was needed to build a secure and compliant network. McIndy Ventures researched PCI compliance and realized the extent of what was needed which led to yet another challenge. The main issue when facing PCI compliance for the 15 locations was trying to find the time needed for implementing and maintaining the software/hardware required for compliance. After analyzing the structure of all the McIndy locations’ networks, it became obvious that it is was necessary to seek out a third-party vendor that could meet the franchisees’ PCI compliance needs.
The urgency of implementing a PCI Compliant solution was amplified by the steadily increasing rate of non-compliance notices McIndy was receiving from the major credit card companies, predominantly American Express. When merchants, such as McIndy, cannot prove compliance through Self-Assessment Questionnaire (SAQ) forms and vulnerability scanning, credit card companies have the right to impose fines, penalties or even revoke a merchant’s ability to process credit cards at their business. The PCI SSC classifies McIndy as a level two merchant which is a merchant that processes one million to six million Visa or MasterCard transactions or 50,000 to 2.5 million American Express transactions annually. Due to McIndy’s high transaction rate, they are seen to be at greater risk and therefore the credit card companies enforce PCI requirements more firmly on them than smaller merchants.
The concern the card brands have regarding data breaches is certainly warranted based on statistics Visa has reported. In 2011 alone, restaurants accounted for 73% of all breach incidents within the United States.
The McAlister’s Deli corporate IT group directed McIndy to its recommended PCI compliance and network security vendor, SecureConnect Inc
. After looking into SecureConnect’s PCI Managed Security Packages, McIndy decided that partnering with SecureConnect was indeed the right fit for the business. The fully managed firewall to protect cardholder data network, secure public Wi-Fi capabilities, network segmentation and the ability to remotely access the DVR system and digital signage were all components that McIndy found appealing.
Data compromises can go unnoticed for days, if not weeks, without the proper network logging and monitoring. Realizing that fact, it is invaluable to have these tools in place with the SecureConnect PCI Managed Security Package. Data security is not all about prevention; it’s just as much about actively monitoring for threats to help avoid a potential compromise. Do not forget, if one of a business’s other security defenses falls short and a breach occurs, with proper monitoring and detection it’s possible to see what is going on and prevent cardholder information from being stolen. This is an example of layered security at work.
McIndy worked with SecureConnect to determine the network configurations of each store’s environment and a complete installation schedule was set for all 15 restaurants. Hardware was specifically configured for each location by SecureConnect technicians. McIndy leveraged the self-installation process and was able to install the hardware at our convenience with each location taking about 1½ hours to complete the setup and testing. After just a month, all McIndy locations were installed with SecureConnect services and were being provided with around-the-clock monitoring and support. Additionally, SecureConnect provided McIndy with assistance on completing the Self-Assessment Questionnaire (SAQ) forms and performing vulnerability scans to help prove compliance. Both of which were needed to meet the validation requirements of the card brands.
From McIndy’s perspective, with the PCI compliance becoming an increasingly involved, convoluted and extensive process, SecureConnect aids in the simplification of it all and providing adequate insight on maintaining compliance. In all, McIndy’s PCI compliance process required a high level of attention and devotion of time, but it was made easier with the right vendor partner. The PCI compliant solutions integrated easily into their network and now McIndy has the peace-of-mind that all locations are secure.
Geritt Guillaume is McIndy Ventures, LLC’s Director of Information Technology and handles the technology needs for all 15 of their McAlister’s Deli Locations.