PCI Makeover

Retailers have always been vigilant about securing customer data. Still, when the PCI compliance mandates were published a few years back, they recognized the need to ratchet up their commitment and refocus their energies on protecting critical data at every turn.

That’s what happened at Minneapolis-based Regis Corp., owner and operator of more than 12,800 salons worldwide. Prior to June 2007, Regis did not use encryption to secure credit card information collected at its stores and held in its central database. The Payment Card Industry (PCI) Security Standards Council now requires retailers to protect payment card data, which could mean encrypting the numbers.

“We felt we already had good data access controls,” says Bernie Rominski, IT security officer for Regis. “We had strong firewalls; we removed information from our files when we no longer needed it and we truncated card information on our receipts. But with PCI DSS, we were driven to look at strong encryption technology.”

Once the company implemented nuBridges Protect, an encryption, unified key management and format preserving tokenization solution developed by Atlanta-based nuBridges, Regis began to look at ways encryption could help protect other data.

Regis chose the nuBridges software because it was compatible with both its IBM back-office applications and its Windows-based POS system.

In deciding what data to encrypt, however, Regis had to establish some priorities. “Our card data had the highest profile and was the top priority so we had to attack it first,” Rominski says. “We knew we had to be compliant with PCI DSS or face fees or high interchange rates or not be able to accept cards at all.”

By early 2008, Regis had encrypted all its card “data at rest” — the data that stayed in its central database. Then it turned its attention to “data in transit” — information sent between store POS and back-office applications. Regis then decided to go beyond what was merely required and aim for a higher level of security.

While data that was being transferred via a private network with business partners did not have to be encrypted, data that traveled via the Internet did require the added layer of security through encryption. Once it felt it had its customer payment information secured, Regis looked at sensitive data beyond credit and debit card information.

On the financial side, bills and ACH payment data were reviewed. For example, the back-office application stored bank account information from trading partners. While PCI DSS did not require this to be encrypted, state breach notification laws did; Regis felt it could leverage the investment it made on payment card encryption to satisfy these other mandates.

Additionally, employee data, such as that used to handle payroll, looked to be a good candidate for encryption. With 100,000 corporate employees, there was concern that if an outsider could break into the system, that person could commit identity theft or access employee bank account routing numbers used for direct deposits.