-
The vast majority of companies continue to fall short of complying with the Payment Card Industry data security standard during their initial audit, with only 21% getting a passing grade.
September 29 -
The payment industry's focus on adding encryption at the point of sale to protect card data is counterproductive. MagTek's CEO says that the PCI Council, in pushing advanced encryption,is doing more harm than good.
September 27
When McDonald's Corp. introduced its McCafe product line, it was also cooking up a franchise-wide security initiative that had to be ready in time for the new menu's launch.
The variety and scale of the new menu items demanded a new order-taking process. Paired with the company's initiative to properly protect its payment data under the Payment Card Industry data security standard, the 18-month technology overhaul became "the largest tech deployment in McDonald's history," Rich Shetina, McDonald's USA director for information technology security and operations, said in a presentation.
McDonald's, which has 14,000 U.S. locations, faced a serious challenge when it set out a few years ago to reduce the number of terminals and other devices that come in contact with sensitive payment card data, Shetina said in a presentation at the PCI Security Standards Council's annual community meeting in Scottsdale, Ariz., last month.
At the point of sale, "we had some serious legacy technology in our system - we're talking DOS," Microsoft Corp.'s pre-Windows operating system, Shetina said. "The challenge for us in going from that kind of legacy system to the next generation of [point of sale] systems that were PCI-compliant was huge."
McDonald's had five or more payment terminals in each store that were attached to other equipment, including order-taking systems and even video cameras installed in restaurant kitchens. And many were in contact with payment card information, Shetina said.
"We had 27 different versions of [payment-related] software in various forms ... and all kinds of other devices hanging off our systems that would put us within the scope of PCI," Shetina said. "We needed to isolate that card data, segment it, and get it out of scope" to reduce PCI-compliance costs and to provide better data security, he said.
McDonald's decided to blend this project with its McCafe product launch, which required a new order-and-payment system to handle more-complex orders.
But first the company would need to persuade its 2,200 franchisees that the related PCI-compliance upgrade was worth it, since those franchisees would have to chip in to pay for the new order-and-payment system.
"We had to show franchisees that they were getting a business benefit [along with PCI compliance] and that in the long run it would be a good investment," Shetina said.
The company provided certain financial incentives coupled with deadlines encouraging franchisees to take action.
McDonald's began the transition to the new system slowly by testing and experimenting before gradually picking up speed. During the implementation, which the restaurant chain completed within the past year, McDonald's replaced between five and 30 devices in each of its stores with a smaller number of order-and-payment systems designed to adapt to future changes, Shetina said.
Payment-card transaction data is now "segmented away" from the order-taking process and stored in the company's back-office computing environment. McDonald's also has added encryption technology.
"We now have virtually end-to-end encryption throughout our entire transaction flow," Shetina said.
