Spurs aiming for the goal of PCI card security compliance

Tottenham Hotspur hopes to avoid penalties by meeting 1 October deadline

Spurs' planned 58,000 seater stadium needs all the credit card transactions possible

Premier League football club Tottenham Hotspur has a critical short-term goal to achieve - other than trying to remain near the top of the table.

The club is racing against an October deadline to roll out compliance with the payment card industry's data security standard (PCI DSS).

Spurs processes 700,000 credit card transactions a year, and a planned new 58,000-seater stadium, up from 36,000 seats, is expected to increase the number of credit card transactions significantly.

Currently, many of its match ticket and merchandise payments are made by credit card, and Tottenham’s four-strong IT team found itself having to keep up with the demands of PCI DSS.

Mail order sales make up half the merchandising business, although the club's popularity with longstanding fans makes ticket sales less of a worry.

"The ticketing side is less of an issue because 22,000 out of 36,000 are season tickets, and that's a single sale," said Tottenham Hotspur’s IT and telecommunications manager, Philip Rose.

But it soon became apparent that delivering PCI DSS was about more than just credit card security.

"When PCI raised its ugly head, one of the gaps that our quality service assurance found was that we did not have any structure here for incident management, which is one of the planks of PCI compliance," he said.

Rose said that Spurs had been using Numara Track-It software for its helpdesk, but wanted the supplier to add hardware and software asset management to the package, as well as change and incident management. When Numara bought rival UniPress in 2006, that opened up an opportunity to upgrade to the firm's FootPrints application to assist in the compliance process.

"Numara gave us a very good deal, because we were trading up, and another important point was that it was IT Infrastructure Library (ITIL) compliant," said Rose.

The change of software required Spurs' IT department to migrate its data from one package to the other.

"It's now in place and we have the incident management up and running, with full alerting in place, and we also have a dedicated helpdesk type of email where users can log emails straight into the system," said Rose.

Spurs also uses Centennial Software for asset management.

Rose said that when Spurs' IT department became aware of the PCI initiative, he knew that there would have to be big changes in the IT infrastructure.

"We also have to take on board the security management that you see in banks and financial institutions," he said.

Spurs has recently completed its second annual penetration test, and time is tight to achieve PCI compliance.

"Our banks are thumping the desk and saying it's do-or-die by 1 October," said Rose.

One of the problems for Spurs was that its application providers "are a little bit behind the ball", according to Rose. Some of the club's ticketing and software suppliers have found PCI, "hard to swallow", he said.

"You're looking at very big legacy software designed in the US, which has a lot of code to be checked," said Rose.

"PCI for us is quite crucial. It's not so much that we could have a breach, it's more the brand damage that our board wants to steer clear of. You only have to look at those firms who have been breached. Small companies who have a breach are either going to get fined out of business or they won't be able to continue trading online, and if you're a mail order business that's the end of the road. "

Spurs has managed to change most of its network infrastructure, network monitoring and security, but still has work to do.

"We're not quite there yet, but we've assured the bank that everything we're responsible for will pretty much be in place for 1 October," said Rose.