The Lowry seeks token system to boost security

Manchester-based arts centre The Lowry is looking to procure a tokenisation system to ensure it becomes fully PCI-DSS compliant.

The process of becoming compliant with the security standard will have taken four years in total and should be completed by the end of this year.

The tokenisation system will provide The Lowry with a number that relates to a customer's credit card details but the details themselves will not be stored on the centre's premises. Instead, they will be stored by an external token-providing company such as Yes Pay.

The centre has to make this final move because it is reliant on a web developer, Scottish company Web Advertising, for its web ticketing system and Web Advertising's platform is not PCI-compliant.

This is the last in a series of steps the IT department has had to take to ensure compliance.

The company started by segmenting its network and ring-fencing its core databases. It has implemented four firewalls to protect each part of the network. The first sits around the external hosted web servers, with two protecting the internal network and one protecting the ticketing servers.

Access or attempted access to each of these firewalls needed to be logged and the centre implemented LogLogic's software at a cost of £23,000 to perform this role.

Darren Mullin, IT manager at The Lowry, explained that the centre could have taken up a free solution from KiwiSysLog but that to manage the software, connect it to devices and ensure that the logs were stored for the necessary three months would have required it to employ another member of staff.

The LogLogic software records dips and increases in activity and as Mullin explained, this helps his IT team to monitor the network.

The centre is currently integrating the solution to its recently installed SAN which Mullin said is technically relatively easy but will require changes to the IT department's change control policy.