Preventing Shoes From Dropping
For many mid-market retailers, PCI compliance is the elephant in the room. The standard applies to organizations that process cardholder data, and organizations at varying levels of transactions must show they are in compliance annually. Those that aren’t risk fines and losing the opportunity to process credit card payments with banks and card companies like MasterCard and Visa.
Therefore, when it comes to PCI compliance, vigilance is the only way to go, according to Chris Spohr, information security officer for Bakers Footwear Group, a St. Louis-based chain that sells footwear and accessories for young women with more than 240 locations.
“The worst-case scenario is what you see in the news where you have a security breach where somebody gets in and gets access to cardholder data and uses that for fraudulent purposes,” Spohr says. “The other side of that is meeting the standards. If you don’t meet them, even if you don’t have a breach, then the card branches will assess you with some fines.”
Technologies do exist for companies to remain on top of their networks by detecting and neutralizing threats. But for retailers without the expansive IT budgets or personnel resources of the major players, determining how to pay for security information and event management (SIEM) can be particularly problematic.
In addition, many organizations must prime their internal networks to comply with other mandates emanating from federal regulatory actions, including Sarbanes Oxley, the Health Insurance Portability and Accountability Act, FDIC guidelines and the Gramm-Leach-Bliley Act.
Bakers Footwear maintains a three-person team dedicated to IT security – far fewer than most large retailers. “We try to pay attention to our expenditures and make wise choices,” Spohr says. “You stay diligent in trying to achieve and maintain compliance.”
Centralizing security data
Two years ago, the company determined that it needed to improve the process of centralized logging from its network for SIEM – specifically, enhancing the logging of potential security events from network routers, switches, firewalls and servers in order to gain visibility into possible threats.
Networks can become silos of disparate information. Typically, a server won’t know what is stored in a firewall, or an anti-virus detection program won’t be in sync with what is being captured through a router. Therefore retailers need to have that data centralized, scoured and compartmentalized to determine the sources of threats to the network.
In 2008, Spohr’s dilemma was finding a solution that would not break the bank or burden his small staff. His budget would not accommodate large-scale “forensic” enterprise solutions that often require additional engineering fees and third-party personnel to customize the technology for individual implementations. What he needed was a device to place on Bakers Footwear’s network that could be up and running quickly and which would assemble all SIEM log data in one place for analysis.
His staff’s manual-based system for reviewing log data was rudimentary and time-consuming — it required opening up various servers and folders individually, a system fraught with unreliability. “When you get a person doing that all the time, you spend a lot of time viewing logs, checking logs, remembering to check logs and recording that you checked logs,” Spohr says.
