Retailers learn solutions to challenges of computer security

Visa USA, Inc., and MasterCard International, Inc., set new standards to protect consumer information

Published: January 3, 2006

Security audit—the first step in complying with new rules

The Compass Group provides food, vending, and other services to hospitals, stadiums, corporations, airports, colleges, and restaurants. The UK-based company generates sales of more than $21 billion from its operations in 90 countries. Jon Harris handles security issues for the company's U.S.-based operations headquartered in Charlotte, N.C.

"When our customers purchase food, a lot of them use a credit card," Harris says. "We want to make sure those transactions are as secure as possible."

The Payment Card Industry Data Security Standard (PCI DSS) requires merchants to use firewalls, message encryption, computer access controls, and antivirus software to help deter computer hacking and consumer information theft. It also requires retailers to conduct security audits and monitor their networks and forbids the use of default passwords. Retailers, banks, and third-party payment processors face fines—up to $500,000 US per incident—if consumer information is compromised.

Because Compass Group USA runs many Microsoft Windows operating system-based networks, Harris liaised with Chris Jewell, a Microsoft retail industry solution specialist, to see what recommendations the company has for retailers.

Jewell and Hayan Ortega, a Microsoft industry solutions specialist, just finished creating a white paper with recommendations to help merchants enhance security at their retail stores.

Overall, retailers should take a multilayered approach to security, according to Jewell and Ortega. They say merchants need to secure their data, their networks, and their entire systems. And merchants shouldn't rely only on the built-in security provided by software partners. For example, a point of sale (POS) terminal with its own encryption doesn't protect an entire network. Also, retailers should begin with a good audit of their security systems.

"[An audit] is a very useful reference document that we used to review our environment and drill down to specific areas where we needed to bolster security," Harris says. "Many retailers will find the guidance useful and will be able to implement pieces regardless of their current setup."

Top of page

Compass Group enhances wireless security with Active Directory

After reviewing the recommendations, Harris and his team set up a plan to reinforce the wireless security of the company's POS terminals.

"In airports, we can't always run cables so we needed to figure out how we can secure our wireless network and still meet our business demands," Harris says. "That's where the information on Active Directory was useful. We're in the early design stages right now."

Microsoft Active Directory directory service enables companies to centrally manage and share information about network resources and users while acting as the central authority for network security. It's a crucial part of the Microsoft Windows Server 2003 operating system architecture. Active Directory is a consolidation point for isolating, migrating, centrally managing, and reducing a company's numerous directories.

"Generally speaking, security isn't front and center or seen as a strategic initiative [for retailers]," Harris says. "But there's been a huge shift of focus since credit card companies imposed standards and penalties."

For More Information

•	JDA Portfolio Replenishment Optimization by E3
•	White paper: Securing the retail store
•	Article: 14 ways for retailers to tighten computer security

M. Sharon Baker is a freelance writer covering technology and business since 1987. After 15 years as a business reporter for several newspapers, Sharon now helps companies with their marketing while continuing to write for various publications.