Each merchant seeking to comply with Payment Card Industry data-security standard requirements grapples with different challenges, but insights from security experts at McDonald’s Corp. and British Airways recently shed light on a few common headaches companies face in securing card data.
Executives from the two global giants on Sept. 22 presented case studies at the PCI Security Standards Council’s annual community meeting in Scottsdale, Ariz., explaining how their organizations overcame certain hurdles such as getting broad organizational support for PCI compliance and confronting the problems posed by older, legacy software and equipment.
“It’s very difficult to generalize about what any company needs to do to achieve PCI compliance, but there are certainly some common learnings, and merchants are coming together at community meetings like these to share information” Jeremy King, European director of the PCI Council, told PaymentsSource at the event.
McDonald’s faced a serious challenge in its PCI-compliance efforts when it set out a few years ago to reduce the number of terminals and other devices that came in contact with sensitive payment card data at its 14,000 U.S. locations, Rich Shetina, McDonald’s USA director, IT security and operations, told meeting attendees.
“We had some serious legacy technology in our system–we’re talking DOS,” Shetina said, referring to various point-of-sale terminals integrated with order-processing computers that relied on older Microsoft Corp. computer operating systems. “The challenge for us in going from that kind of legacy system to the next generation of POS systems that were PCI-compliant was huge.”
McDonald’s had five or more payment terminals in each store that were attached to other equipment, including order-taking systems and even video cameras installed in restaurant kitchens. And many were in contact with payment card information, Shetina said.
“We had 27 different versions of (payment-related) software in various forms ... and all kinds of other devices hanging off our systems that would put us within the scope of PCI,” Shetina explained. “We needed to isolate that card data, segment it, and get it out of scope” to reduce PCI-compliance costs and to provide better data security, he said.
McDonald’s simultaneously was preparing to introduce the new McCafe line of specialty coffee products to its stores nationwide, and the variety and scale of new menu items demanded a new order-taking process, Shetina said.
Introducing a new order-and-payment system designed to handle more-complex orders and to accept card payments within new PCI-compliance objectives would solve both problems, McDonald’s determined.
But first the company would need to persuade its 2,200 franchisees, which would have to chip in to pay for the new order-and-payment system, that the related PCI-compliance upgrade was worth it.
“We had to show franchisees that they were getting a business benefit (along with PCI compliance) and that in the long run it would be a good investment,” Shetina said.
By providing certain financial incentives coupled with deadlines encouraging franchisees to take action, McDonald’s adopted the new system over 18 months, which Shetina dubbed “the largest tech deployment in McDonald’s history.”
The company began the transition to the new system slowly by testing and experimenting with the new technology and gradually picked up speed. During the implementation, which the restaurant chain completed within the past year, McDonald’s replaced between five and 30 devices in each of its stores with a few order-and-payment systems designed to adapt to future changes in business processes and payment technology, Shetina said.
Payment card transaction data are now “segmented away” from the order-taking process and stored in the company’s back-office computing environment, thus removing it from PCI-compliance scope. McDonald’s also has added encryption technology to its transaction-processing.
“We now have virtually end-to-end encryption throughout our entire transaction flow,” Shetina said.
The fast-food industry appears to have little in common with an international airline, but British Airways faced certain similar dilemmas over the past few years as it moved to secure its payment card data systems and make them PCI-compliant, Philip Morton, information security and compliance manager, told meeting attendees.
“We had the (payment card) data-segmentation debate, and it was very complicated to consider how we would accomplish that,” Morton said. “We finally decided to segment the data, but it was not primarily in order to reduce costs (of PCI compliance)–it was to reduce risk.”
Some analysts advise adopting advanced data encryption and tokenization to reduce the costs of complying with PCI requirements because such technology takes the data out of the scope of PCI audits.
But taking such a narrow approach would limit other data-protection opportunities, Morton suggested.
“If you’re just focusing on (PCI compliance), you’re going to be out of this business,” he said.
British Airways devised a broad data-security strategy that would cover all of its payment card data-protection needs as well as other operations and be flexible enough to adapt to future changes, he said.
Finding the right qualified security assessor understood the airline industry and its far-reaching, complex operations was a crucial step, Morton said.
Ensuring that executives at every level of the organization understood the importance of payment-data security also was essential in adopting new systems, he said, acknowledging the difficulty that sometimes exists to get the authority and funds needed within an organization to tackle data security on a broad level.
“If you have a card-data breach, your directors will be involved,” Morton said, underscoring the importance of making top managers aware of the seriousness of PCI compliance.
“Getting top management’s attention (to PCI issues) is tricky,” Morton conceded. “Try to get your boss to take you to the meeting with their boss in order to push (attention to PCI compliance) up the chain.”
Another vital piece in securing payment data throughout an organization is determining where the borders are between one’s organization and those of partner companies and subsidiaries, Morton advised.
“Assess third parties and make sure they understand their own PCI responsibilities. Are your subsidiaries doing their own PCI compliance, or is it coming under yours? Get that very clear,” he said.
Despite the urgency to protect card data, organizations seeking PCI compliance must avoid rushing to implement new technology and processes, Morton said.
“Don’t panic, and don’t let vendors pressure you,” he advised.
As an overarching guideline, companies seeking PCI compliance should make sure every executive involved has appropriate PCI training and access to resources they need, Morton said.
“Realize that the threats are real,” Morton said. “Set up your data-security processes so they will last. ... Get it right, and keep it going.”
The variety of companies’ business models makes it difficult to generalize or estimate the difficulty of PCI compliance. But certain factors such as finding creative ways to adapt existing technology to new data-security standards and persuading managers, franchisees and business partners to assume appropriate roles in securing data can cut across diverse types of global businesses.
What do you think about this? Send us your feedback.
