» 

Blog

Posts Categorized Under "RETAIL"

Grocery Outlet Uses GoAnywhere to Automate File Transfers

When your network of retail locations expands, how do you keep up with all the data that needs to be exchanged between stores, vendors, and other trading partners? At some point, the only solution becomes to automate file transfers. See how Grocery Outlet made the transition with GoAnywhere.

 

Read the transcript

Grocery Outlet is a family-owned company established to provide inexpensive groceries to its customers. It's now the largest deep-discount grocery store chain in America, with more than 200 stores in seven states. Many of these stores are owned and operated by local families to serve their neighborhood's needs, and the company keeps growing.

Between sharing data with store owners and communicating with vendors, Grocery Outlet exchanges more than 30,000 files every day. Steve Tuscher, the Director of IT, realized that having his staff write manual scripts for these file exchanges was time consuming enough, but tracking down and fixing problems when files didn't arrive at their intended destinations was the last straw.

He began looking for a solution that would automate file transfers and provide better error reporting, and after discovering some high-priced options, he decided to take a look at GoAnywhere.

GoAnywhere helps Grocery Outlet automate file transfers"We quickly replaced all of our internal FTP scripts and within a couple of months, we'd transformed our data delivery across all of our business partners and all our internal systems with GoAnywhere," Tuscher said. "We were surprised that we were able to do that as quickly and easily as we did."

To hear more about Grocery Outlet's success with GoAnywhere, and to find out which feature the team found most valuable in transforming the way they managed their workflows, be sure to watch the video. You can also read the transcript here.


PCI DSS 2.0

According to a survey of 155 Qualified Security Assessors (QSAs) conducted by the Ponemon Institute, 60 percent of retailers lack the budgets to be fully compliant with the PCI DSS standards. As an example, the annual audit cost for a major retailer can be as high as $225,000.

According to the Ponemon Institute survey, restricting access to card data on a "need-to-know basis" (PCI DSS Requirement #7) is still the most important PCI DSS requirement, but also the most difficult to achieve. QSAs reported that the three most common business reasons for storing cardholder data are:

  • Handling charge-backs
  • Providing customer service
  • Processing recurring subscriptions

In order to service these customer's requirements, the credit card data must still be available for the various software applications. These industry processes require merchants to implement methods of protecting cardholders from theft.

Encryption the Best Technology

QSAs find the most significant threats to cardholder data are in merchant networks and databases. They believe firewalls, encryption for data at rest, and encryption for data in motion are the top three most effective technologies for achieving compliance.

Sixty percent of QSAs believe encryption is the best means to protect card data end-to-end. Forty-one percent of QSAs say that controlling access to encryption keys is the most difficult management task their clients face.

Getting a Handle on PCI DSS Issues

So what's the best way to both satisfy the requirements of PCI DSS and still make secured data transparent to applications? The strategy QSAs recommend is to lock down the cardholder data with technologies that:

  1. Restrict the access
  2. Encrypt the data
  3. Manage and control the encryption keys

These recommendations point to a need to make encryption and encryption-key access an integral part of the overall information system.

But too many organizations use ad hoc encryption/de-encryption utilities that slow processing, and often leave de-encrypted data in the open. In addition, without any integrated encryption key management process, there is really no security at all.  Unsecured encryption keys, just like data, can be lost, stolen, and misused. Access to those keys should be managed as an integral part of the overall security of the operating system.

The point is that the QSA's three recommendations go beyond the basic requirements of the PCI DSS standard to actually secure the credit card data at the host - and to ensure that the data isn't misused when the data is at rest or while being transferred.

Linoma Software's data encryption suite Crypto Complete successfully addresses these QSA PCI requirements by providing data encryption and key management services that can be integrated seamlessly with IBM i (iSeries) applications.

Building on PCI DSS V2

Industry security analysts will still complain that PCI DSS needs to be a real security standard aimed at protecting card holder data, but Version 2.0 doesn't provide that value.  Consequently, we need to analyze what the QSAs are recommending, and then build on PCI DSS Version 2.0 to implement the best possible data security for our customers' credit card data.