Infosec 2010: Harvey Nichols ensures it is PCI-DSS compliant
But said that organisational change has been harder than implementing the technology
Harvey Nichols has put a number of measures in place to ensure compliance with the standard
With high-profile examples of retail card crime such as that of retailer TJX in mind, Harvey Nichols infrastructure manager Matthew Suddock described compliance with the new PCI-DSS credit card requirements as “very sensible.”
Suddock chaired a keynote session at security conference Infosecurity earlier today.
“Last I heard, TJX had lost $111m as a result of card data theft – with this in mind, retailers of any size can’t afford not to make themselves compliant,” he said.
Harvey Nichols has put a number of measures in place to ensure compliance with the standard, and has been working on them for the past two and a half years.
Suddock said one major change to the company’s processes has been to reduce the "breadth and depth" of card data retained by the company.
For example, the tills now only record truncated card numbers and the network has been segmented into tills, wireless and PC sub-networks, meaning card information is siloed and cannot be passed from tills to wireless, for example.
Each sub-section of the network is managed separately and has its own firewall.
The company also felt that the credit authorisation process was not compliant and so now outsources this to secure card payment specialist The Logic Group.
Other processes such as anti-virus and patch compliance on tills needed to be tightened up, which has seen LANDesk’s patch management and Symantec’s anti-virus remit both extended.
However, Suddock said implementing technology for compliance was easier than changing the culture: “We have had to brief our operations managers and general managers in stores on the fact that dealing with card information is effectively dealing with cash and therefore incredibly sensitive.”
The company has also implemented Juniper products across its networks, these include an intrusion protection system, a secure access solution and a network security management system.