It's a little bit like waking up at 3 a.m. and realizing that an intruder is moving through your house. Retailers typically feel that kind of jolt when they discover that someone has deployed malware in an attempt to capture credit card data or proprietary information about their businesses.

As retailers navigate the process of becoming compliant with the PCI Data Security Standard, they are simultaneously addressing other software issues that affect the bottom line, like unauthorized software programs that can impact system performance.

Such needs led the IT directors of two very different chains, Ritz Camera Centers and c-store/travel center operator Road Ranger, to deploy Parity, a "whitelisting" solution developed and distributed by Waltham, Mass.-based Bit9.

Instead of trying to defend against a growing and ever-changing universe of malware, spyware and other unwanted applications, Bit9 Parity simply creates a "white list" of all client-approved applications. It automatically monitors each computerized terminal within an enterprise, blocking all programs that aren't on the approved list.

Mark Krysinski, director of infrastructure and the chief security officer for Beltsville, Md.-based Ritz Camera Centers, says Parity gives the 800-store chain centralized control over its systems in the field. Ritz Camera also uses Parity to reduce system performance overhead. Parity takes a very small amount of processing power, "especially compared to some antivirus scans which have a high CPU intensity," he says. "It has less memory requirements. It gives us the ability to lock down peripheral drives, CD-ROMs, printers, etc.

"It also gives us version control on our applications so we only run the software version that we want to run on all our systems," he says.

Ritz Camera was especially vulnerable to the risks of unwanted software because its customers bring in images from their cameras, camcorders and various storage devices that must be downloaded onto the chain's digital imaging terminals.

"Those store-level systems are tied into our network," Krysinski says, "so even though we have a firewall, it is still possible that viruses could be injected into our system." Parity gives Ritz Camera read/write execute control over flash drives and all USB ports, "so someone can't just launch an application that isn't pre-approved and deemed viable," he says. "We haven't gotten any virus [and] have not needed to rebuild our system in any way, since we deployed Parity."

This has resulted in "a significant improvement in our workflow processes, much less downtime and much fewer man-hours spent on fixing systems that went down because they were consuming system resources by running unauthorized software. We now have much better control of our distributed environment."

Ritz Camera has also reduced its IT field-level support staff's work time by almost 40 man-hours a week chain-wide, "and that does not include travel time," Krysinski says.

Terminal vulnerability
Jeremie Myhren, senior director of IT for Rockford, Ill.-based Road Ranger, was concerned that USB ports on the POS terminals at its 88 locations were vulnerable to a data security attack.

Someone "could put a malicious application on a flash drive, stick it in the back of one of our registers and the cashier probably wouldn't notice," he says. "We have high-volume convenience stores and truck stops with people in and out all day. It wouldn't be unusual for someone to linger by the cash register and for a cashier not to notice what they might be doing."

Not long after Road Ranger deployed Parity in December 2008, someone did precisely that.

"We got an alert that someone had put a flash drive in a POS in a store … and had copied files onto the drive," Myhren says. "We immediately started an investigation and it turned out that it was one of our own service techs troubleshooting a problem, but that … could have been an attack on our systems [that] we never would have known about so quickly without Parity."

Thirty-five percent of the 500 data breaches reported over the previous four years have been against retailers, according to a 2008 Verizon Business Data Breach Investigative Report, and research from Gartner finds that more than half of all data attacks against retailers come through their POS systems.

Better than a list
Patrick Morley, CEO of Bit9, says that making a list of identified viruses to keep out of POS and other data systems is "not practical because the list would be very long and new viruses would always be evolving.

"And a lot of these viruses are being developed by people who commit organized retail crime," he says.

By utilizing Parity, "I am more confident that someone with criminal intent, whether a tech-savvy store employee or a customer, cannot break down the security systems we put in place," Myhren says.

At press time, Ritz Camera was planning to deploy a new POS system running the Parity application and was also considering deploying it on its corporate systems. How these plans will be impacted by the company's Chapter 11 bankruptcy proceedings – the chain intends to sell half of its stores by this month – is unclear.

Myhren and Krysinski both say that generating ROI within a specific timeframe was not the most important consideration in deciding to deploy Parity. It "is more of an insurance policy than something we needed a quick ROI from," Myhren says. The application offers "the potential to save us a fortune and the potential to keep us in business if we ever have a security breach."