Stinker Stores Stays Ahead of the Curve With PCI Compliance

Press enter to search
Close search
Open Menu

Stinker Stores Stays Ahead of the Curve With PCI Compliance

By W.B. King - 05/11/2011

JERSEY CITY, N.J. -- Nearly five years ago the Payment Card Industry Security Standards Council (PCI SSC) was launched. Since the regulation applies to all merchants "regardless of size or number of transactions" that accept, transmit or store any cardholder data, c-stores have been required to step up, invest and protect.

Cory Mooney, IT manager with the Idaho-based Stinker Stores told CSNews Online its PCI compliance initiative began more than three years ago. Until this year, however, the company had instituted its own form of compliance, which was robust and covered all regulations, but was taxing on the IT department and at times difficult to monitor due to changing regulations.

"Three years ago we were out on our own. We were the first to do things like sub-netting. We had a good system in place," Mooney told CSNews Online. "But PCI is a moving target, and we needed a strategic partner."

The impetus for the change to a vendor partner was due to a new regulation requiring hardware for wireless scanning. "The current hardware we had installed didn't offer any wireless intrusion protection. At that point, we were faced with the task to look for a provider that covered all the bases. We teamed up with Cybera," Mooney explained, adding that the vendor supplies all hardware, which proved to be a tipping point leading to the signing of a yearly contract.

However, with an internal understanding and track record on PCI compliance, Mooney and his team weren't looking for a simple "plug and play" operating system. Instead, they wanted to work with the vendor and share ideas and concepts to determine practices that would best serve Stinker Stores.

"We didn't want to go backwards because we were advanced in our initial set up," Mooney said. "We matched what we had been doing with their device which was beneficial. This wasn't a 'set it and forget' install."

Best Practices
The c-store chain recently added two locations to its now 52-store fleet. Out of the gate, Mooney explained that once installed, the back office, register, Internet and ATM are all connected through the service, and the installation process was quick. Cybera delivers 24x7x365 security and performance, proactive monitoring and management of each store's security solution.

"ROI is hard to determine, but you can look to sub costs with our labor," Mooney explained. "We don't have to handle support or logging anymore which saves a great deal of time. We no longer have a log server on-site."

Whereas the handling of sensitive customer data can be a concern, Mooney said Cybera doesn't have access to information. "All credit card information is encrypted. Our vendors manage a white list, and we have content filters for online." For example, Stinker Stores only have access to roughly 20 Web sites via the Internet. If there is breach, the IT department is notified. Additionally, if a customer walks in with a mobile device that is trying to access the Internet, that attempt is also logged for review.

"We aren't a large organization, but coming off implementing our second PCI solution, we jumped through the hoops already, so we knew what we wanted and didn't want to compromise," said Mooney. "The beauty of working with Cybera is that they offer a custom setup, and we were able to step up and write-in a few more rules and the devices are capable of doing that."

Another added benefit of the program is that any new PCI regulations are automatically addressed removing any guessing work. "I didn't realize that they had an interface for PCI -- it e-mails me all compliance information I need," said Mooney.

In his estimation, while a "moving target," 90 percent of PCI compliance boils down to good business security practices. "There was a lot of noise on what it required us to do, but when you looked at the nuts and bolts of PCI it is the best practices Fortune 500 companies have been doing for a long time, particularly if you take a look at their infrastructure with regard to firewalls and protecting data," he said. "And it makes easier to sleep at night."