Hotel chain Travelodge has saved more than 20 staff days
a year after investing in systems to automatically monitor its
compliance with security standards for online credit card
sales.
The company has implemented a scanning system which identifies
potential security vulnerabilities across its internal networks and
web-based booking systems as part of its obligations to meet
security standards required by Mastercard and Visa.
"It has made a huge difference. It backs up the things we do in
our own security practice. On a regular basis we make sure that our
machines are patched, and this gives us an independent check that
what we are doing is best practice," said Russell Fox, technical
project manager at Travelodge.
The firm deployed the Qualys scanning system last year as part
of preparations to meet the Payment Card Industry (PCI) security
standards, which came into force in July.
The standards require companies selling over the internet to
conduct regular security audits and to report the results of the
audits to their bank. Organisations that fail to meet the standards
could be liable for any fraudulent transactions.
The Qualys system allows Travelodge to produce monthly reports
on potential security vulnerabilities in its Windows and
Linux-based infrastructure. The company also carries out extra
scans when it upgrades equipment or software.
The system offers advice on fixing the vulnerabilities and
directs IT staff to relevant patches. It generates reports on the
number and seriousness of the vulnerabilities found, which
Travelodge is able to send to its bank to demonstrate it is
complying with the PCI standards.
Fox said the system, which has replaced manual scanning, is
saving IT staff between one and two days of work a month.
"You can look at all your systems and say, 'These are our
vulnerabilities.' It consolidates all of the information, and you
do not have to use different systems to find out what the
vulnerabilities are," he said.
Travelodge scans 30 devices, using a software-based scanner for
its external websites and an appliance-based scanner for its
internal systems. "We are going well beyond the requirements for
PCI," said Fox.
Travelodge is now planning to adopt a more advanced version of
the scanner that will deliver compliance reports directly to its
bank.
https://www.pcisecuritystandards.org
Comment on this article:
computer.weekly@rbi.co.uk