This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
Getting On Board
Honeybaked Ham's Goldoff says that the company had deployed firewalls at each of its 400 retail, corporate-owned and franchise locations, but had not made use of intrusion detection at every site. "An IDS will tell you you're getting hit, but you'll also get a slew of false positives," he notes.
Keeping PCI requirements in mind, Honeybaked Ham went a step further and purchased Top Layer Networks' IPS, which Goldoff says can "block a lot more sophisticated attacks than our firewall by recognizing certain exploit characteristics."
The company also embarked on an eight-month, company-wide personnel and policy training program related to PCI. "Our HR and operations teams had everybody at the table," he says.
Overall, Goldoff says a number of the items required by PCI "would be considered low-hanging fruit" by IT security personnel, while other items "take concerted effort."
For Accor North America, which operates more than 1,200 hotel properties including Sofitel and Motel 6, PCI was a catalyst for a major data encryption project. PCI compliance--along with assuring customers that the company keeps its information secure--is a priority for Accor.
"What we want to do is make sure that any system we use to store or transmit credit card information has the highest level of encryption we can apply," says Harvey Ewing, Accor's senior director of IT security. "The biggest issue with that is key management."
Ewing agrees that PCI helps win funding from corporate management for security projects. "It's one thing for the security department to let executives know the benefits of encrypting data and how that's going to protect the company," he says. "But when it's reinforced by a standard like PCI, that's a lot of leverage when you're requesting the funds."
This was first published in May 2006