Case Study

PCI compliance by creating network segmentation across 3500 stores nationwide

Company

The Co-operative Group

Industry

Retail

Download Case Study

Overview

The UK’s largest mutual retailer

The Co-operative Group is the UK’s largest mutual retailer. It is the fifth largest food retailer, the third largest retail pharmacy chain, the number one provider of funeral services, and the largest independent travel business. It also has strong market positions in banking and insurance. The Group employs 110,000 people and has around 4,900 retail outlets. In March 2009 Somerfield joined The Co-operative Group. Somerfield was a high street supermarket with 900 stores in many high street locations throughout the UK.

Challenge

The Co-operative Group (including the TCG Food stores, Somerfield stores, and Pharmacy business) processes almost 200 million credit and debit card transactions per year, from a store estate of almost 3,500 stores.

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The standard also required retailers that process large volumes of credit/debit cardholder data to be PCI DSS compliant. The Co-operative Group therefore deemed it necessary to review its store environment with regard to how store devices are segmented as a means of protecting cardholder data in order to work towards PCI compliance.

Segmenting store systems such as tills and guest wireless onto functional VLAN’s to protect cardholder data would require all endpoints to be re-assigned an IP address. The financial implications of achieving this across the 2800 food stores alone was almost cost prohibitive.

Solution

Kerv Connect’s experience in understanding the business needs and processes required at the infrastructure layer to achieve PCI compliance had been through working with other customers in the retail sector. In particular Kerv Connect was familiar with the challenges, complexity and cost when network segmentation was introduced into a store environment.

Although network segmentation is not a PCI requirement, it is deemed a mechanism to reduce the scope, cost and difficulty of implementing and maintaining PCI DSS controls. Without network segmentation the entire network would fall in scope of the assessment.

Kerv Connect’s solution to achieve network segmentation and consequently isolate cardholder data was to implement a small firewall with security zones. The stateful firewall that was implemented would filter traffic flows in transparent mode, that is, it would be able to restrict access between defined security zones based on specifically defined policy information without the need to re-address endpoints. The security zones and policy definition was specifically designed to align to the requirements of the PCI DSS standard by de-scoping a large part of the store environment including the wireless infrastructure.

This solution had a number of significant benefits

Simplicity

The solution maintained a level of simplicity within the store environment in that extensive VLAN deployment was not necessary to segment the various store systems and devices including servers, tills, wireless access points and wireless handheld devices.

Systems and devices

All store systems and devices would not need to be reconfigured with new IP addressing details, which would have been the case if VLANs had been deployed.

Control

Traffic flows were centrally controlled through template policy definitions that could be quickly deployed across all 3500 stores

Cost savings

Although a firewall appliance was needed in every store, the cost for deployment was significantly less than having to reconfigure every in-store system and device, which would have included approximately 210,000 devices.

Firewall appliance

Deploying the firewall appliance rather than re-addressing every in-store system and device also greatly reduced PCI project timescales

Want to learn more?

Speak our experts!

Give us a few details and we’ll get right back to you.

By pressing send, you agree to our Terms and Conditions and Privacy Policy.
This field is for validation purposes and should be left unchanged.

Case Study

PCI compliance by creating network segmentation across 3500 stores nationwide

Company

The Co-operative Group

Industry

Retail

Download Case Study

Overview

The UK’s largest mutual retailer

The Co-operative Group is the UK’s largest mutual retailer. It is the fifth largest food retailer, the third largest retail pharmacy chain, the number one provider of funeral services, and the largest independent travel business. It also has strong market positions in banking and insurance. The Group employs 110,000 people and has around 4,900 retail outlets. In March 2009 Somerfield joined The Co-operative Group. Somerfield was a high street supermarket with 900 stores in many high street locations throughout the UK.

Challenge

The Co-operative Group (including the TCG Food stores, Somerfield stores, and Pharmacy business) processes almost 200 million credit and debit card transactions per year, from a store estate of almost 3,500 stores.

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The standard also required retailers that process large volumes of credit/debit cardholder data to be PCI DSS compliant. The Co-operative Group therefore deemed it necessary to review its store environment with regard to how store devices are segmented as a means of protecting cardholder data in order to work towards PCI compliance.

Segmenting store systems such as tills and guest wireless onto functional VLAN’s to protect cardholder data would require all endpoints to be re-assigned an IP address. The financial implications of achieving this across the 2800 food stores alone was almost cost prohibitive.

Solution

Over a 3-month period, Kerv Connect’s team performed a detailed audit of the IT systems housed within the Lille datacentre. This included technical analysis, application network flow mapping and interviews conducted with key resources to understand the overall environment and application uses, and to define whether each system was a candidate for centralisation. Deliverables included a full physical and logical audit spreadsheet of all servers and an application map showing which servers made up each application and server dependencies based on network bandwidth between servers. From the audit findings, a proposal was created which would allow for the migration of all servers that were candidates for centralisation within Kingfisher’s target budget. The proposal mapped out which applications needed to be migrated simultaneously and detailed the different technical approaches for migrating the various flavours of OS, physical hardware and virtual servers. Kerv Connect’s strategic partnerships with both Dell and VMware won the customer’s confidence with a consolidated solution that was based on the market-leading VeloCloud SD-WAN solution ably supported by Fortinet for Security and Remote Access. Additionally, Kerv Connect’s proposal included fully resilient connections for all sites, globally, with some sites adopting 4G services where wired connectivity was difficult to provision reliably. Kerv Connect’s solution included design, installation, and a fully managed service to ensure that new technology did not place added operational pressures on an already busy IT team.

Having worked with Kerv Connect on previous initiatives I was totally comfortable in partnering with them to carry out the Data Centre migration. Kerv Connect’s ability to rapidly track the inter- system dependencies enabled the programme to get underway where previously traction was difficult.”

Nigel Hooper
Distribution Account Manager – Kingfisher

This solution had a number of significant benefits

Simplicity

The solution maintained a level of simplicity within the store environment in that extensive VLAN deployment was not necessary to segment the various store systems and devices including servers, tills, wireless access points and wireless handheld devices.

Systems and devices

All store systems and devices would not need to be reconfigured with new IP addressing details, which would have been the case if VLANs had been deployed.

Control

Traffic flows were centrally controlled through template policy definitions that could be quickly deployed across all 3500 stores

Cost savings

Although a firewall appliance was needed in every store, the cost for deployment was significantly less than having to reconfigure every in-store system and device, which would have included approximately 210,000 devices.

Firewall appliance

Deploying the firewall appliance rather than re-addressing every in-store system and device also greatly reduced PCI project timescales

Want to learn more?

Speak our experts!

Give us a few details and we’ll get right back to you.

By pressing send, you agree to our Terms and Conditions and Privacy Policy.
This field is for validation purposes and should be left unchanged.