STORES Magazine - November 2008 - (Page 48)

NUTS AND BOLTS / PCI COMPLIANCE plugs in a USB device that is not approved by Maverik, the port is automatically disabled and a record of the attempt is made. This can sometimes be the result of innocent mistakes, such as when a store was being remodeled and a construction worker used a server to recharge his cell phone. But Maverick now has records of such situations and can look into the matter so that it knows exactly what is going on with the systems that hold its vital databases. The result has been increased security for the company. “Our original goal eye on,” Sitter says. Enabling the fast turnaround in getting the system operational — and helping Maverik meet the three-month hard deadline — was the fact that TriGeo was able to build an agent system that was compatible with Maverik’s existing AS400 Windows system. “They have an agent on the market now, but at the time they had to build it special for us,” Sitter says. The TriGeo Security Information Manager is an appliance which can be installed in retailers’ existing data center. It monitors all the activity related to data “Our original goal was to be in [PCI] compliance, but we realize now there is a lot more information we can receive to improve our security and our operations.” — Darren Sitter, Maverik Country Stores was to be in [PCI] compliance, but we realize now there is a lot more information we can receive to improve our security and our operations,” Sitter says. An important component of the TriGeo system is that it sends alerts and reports that are meaningful. “We’re not looking at millions of pieces of data,” Sitter says. “We have 200 to 300 log-ins a day so we can’t look at every one. This system alerts us to what log-ins are important for us to examine.” Customized monitoring The system also examines vendor logins and keeps an eye on what data they are seeing. “TriGeo had some canned alerts — things that they knew most retailers would want to watch — but we were also able to predefine our alerts by telling them what we wanted to keep an 48 STORES / NOVEMBER 2008 security, sends e-mails when suspicious fraud is detected and even shuts down servers in extreme circumstances. It also sends regular reports that analyze behavior related to the data access. The TriGeo system looks at where payment data is stored, who has access to that data and where that data is moved, says Michael Maloof, chief technology officer for TriGeo. That includes administering and protecting passwords and verifying that security policies and practices are being made. “There is a lot of misunderstanding about Section 10 of the PCI standard with regard to monitoring data,” Maloof says. “You have to be able to demonstrate that you can analyze what is happening with your data, not just pull information together.” Fraud issues Too many retailers approach PCI compliance as a list from which requirements need to be checked off, he says, rather than really looking to see whether what they are doing is truly secure. “You may pass the audit and be certified and that saves you from having to pay fines, but there are other issues to consider,” Maloof says. “If your system is breached, you are liable for all the fraud that can occur. Just passing the audit isn’t enough if you are not completely aware of what is going on within your system.” The system also can shut down servers if it detects serious patterns of misbehavior. “If the system detects repeated unauthorized efforts to access data or sees that the same person is looking at multiple accounts after hours, it may shut down the machine and page someone,” he says. Such analysis of behavior patterns is crucial, Maloof says. “Most businesses can aggregate data regarding logons, but they lack the real-time analysis of what is going on with the system.” Retailers also need to analyze trends across various servers to see if there is a pattern of problems or abuse. “A lot of times you have silos of information so that you can see what is going on within a given server, but you lack the ability to analyze what is happening across the various business lines.” The TriGeo system is targeted at companies with between 50 and 5,000 employees. Retailers pay an upfront installation fee that starts at $20,000; they then pay 20 percent of that initial fee annually for software licensing and supStORES port services. Lauri Giesen is a Libertyville, Ill.based business writer with extensive experience in covering payment and finance issues. WWW.STORES.ORG http://WWW.STORES.ORG

Table of Contents Feed for the Digital Edition of STORES Magazine - November 2008

STORES Magazine - November 2008 Contents Executive Editor's Page President's Page Every Cup Counts What Shoppers Think Less Park Time, More Shop Time 10 Things You May Have Missed Numbers Worth Counting Full Price/Markdown Retail People Retail Held Captive First Look Concept2Watch Marketing Technology Custom Software PCI Compliance Data Security Arts Update Newsbeat LP Issues: Q&A Cover Story Surveillance Systems Online Fraud Industry Perspective LOEB Retail Letter Point of View NRF News Retail Crossword Retail Industry Calendar Last Laugh

STORES Magazine - November 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.