Compliance Campaign

When Maverik Country Stores undertook its Payment Card Industry audit last year, it learned there was a lot more to payments security than just passing a test. Maverik failed its first PCI audit and was given three months to totally revamp the security processes related to customer payments information before being retested. A second failure could have resulting in heavy fines.

During those three months Salt Lake City-based Maverik, a chain of 191 convenience stores in seven western states, installed new technology, including a central logging server powered by Post Falls, Idaho-based TriGeo Network Security. In the process, it also learned a good deal about what it takes to protect its customers.

“We were shocked when we failed the first time,” says Darren Sitter, Maverik’s manager of network services. “We found we needed a lot of work.”

Maverik had been using an internally developed, Linux-based log-in server that was found to be useless and “out of scope,” Sitter says. “We had to start from scratch and put in a whole new system within three months.”

The TriGeo Security Information Manager system also provides Maverik with access to a lot more information and helps it view data security in a whole new light. “It really opened our eyes by showing us how what we had been doing was wrong and showed us how much more information can be available if you set this up right,” Sitter says.

The TriGeo system provides a series of alerts and reports that allows Maverik to monitor the way its employees and outsiders are accessing and attempting to access customer payment information. Among the features are reports of failed intrusion attempts. “We didn’t have that before,” Sitter says. “If someone attempted to access information who should not have that information, they might not have gotten in, but we didn’t learn about the attempt.”

The system can also take actions that are predefined by alerts established at the store level. For example, if someone plugs in a USB device that is not approved by Maverik, the port is automatically disabled and a record of the attempt is made.

This can sometimes be the result of innocent mistakes, such as when a store was being remodeled and a construction worker used a server to recharge his cell phone. But Maverick now has records of such situations and can look into the matter so that it knows exactly what is going on with the systems that hold its vital databases.

The result has been increased security for the company. “Our original goal was to be in [PCI] compliance, but we realize now there is a lot more information we can receive to improve our security and our operations,” Sitter says.

An important component of the TriGeo system is that it sends alerts and reports that are meaningful. “We’re not looking at millions of pieces of data,” Sitter says. “We have 200 to 300 log-ins a day so we can’t look at every one. This system alerts us to what log-ins are important for us to examine.”

Customized monitoring
The system also examines vendor log-ins and keeps an eye on what data they are seeing. “TriGeo had some canned alerts — things that they knew most retailers would want to watch — but we were also able to predefine our alerts by telling them what we wanted to keep an eye on,” Sitter says.

Enabling the fast turnaround in getting the system operational — and helping Maverik meet the three-month hard deadline — was the fact that TriGeo was able to build an agent system that was compatible with Maverik’s existing AS400 Windows system. “They have an agent on the market now, but at the time they had to build it special for us,” Sitter says.

The TriGeo Security Information Manager is an appliance which can be installed in retailers’ existing data center. It monitors all the activity related to data security, sends e-mails when suspicious fraud is detected and even shuts down servers in extreme circumstances. It also sends regular reports that analyze behavior related to the data access.

The TriGeo system looks at where payment data is stored, who has access to that data and where that data is moved, says Michael Maloof, chief technology officer for TriGeo. That includes administering and protecting passwords and verifying that security policies and practices are being made.

“There is a lot of misunderstanding about Section 10 of the PCI standard with regard to monitoring data,” Maloof says. “You have to be able to demonstrate that you can analyze what is happening with your data, not just pull information together.”

Fraud issues
Too many retailers approach PCI compliance as a list from which requirements need to be checked off, he says, rather than really looking to see whether what they are doing is truly secure.

“You may pass the audit and be certified and that saves you from having to pay fines, but there are other issues to consider,” Maloof says. “If your system is breached, you are liable for all the fraud that can occur. Just passing the audit isn’t enough if you are not completely aware of what is going on within your system.”

The system also can shut down servers if it detects serious patterns of misbehavior. “If the system detects repeated unauthorized efforts to access data or sees that the same person is looking at multiple accounts after hours, it may shut down the machine and page someone,” he says.

Such analysis of behavior patterns is crucial, Maloof says. “Most businesses can aggregate data regarding logons, but they lack the real-time analysis of what is going on with the system.”

Retailers also need to analyze trends across various servers to see if there is a pattern of problems or abuse. “A lot of times you have silos of information so that you can see what is going on within a given server, but you lack the ability to analyze what is happening across the various business lines.”

The TriGeo system is targeted at companies with between 50 and 5,000 employees. Retailers pay an upfront installation fee that starts at $20,000; they then pay 20 percent of that initial fee annually for software licensing and support services.