Hotel chain Travelodge has saved more than 20 staff days a year after investing in systems to automatically monitor its compliance with security standards for online credit card sales.
The company has implemented a scanning system which identifies potential security vulnerabilities across its internal networks and web-based booking systems as part of its obligations to meet security standards required by Mastercard and Visa.
"It has made a huge difference. It backs up the things we do in our own security practice. On a regular basis we make sure that our machines are patched, and this gives us an independent check that what we are doing is best practice," said Russell Fox, technical project manager at Travelodge.
The firm deployed the Qualys scanning system last year as part of preparations to meet the Payment Card Industry (PCI) security standards, which came into force in July.
The standards require companies selling over the internet to conduct regular security audits and to report the results of the audits to their bank. Organisations that fail to meet the standards could be liable for any fraudulent transactions.
The Qualys system allows Travelodge to produce monthly reports on potential security vulnerabilities in its Windows and Linux-based infrastructure. The company also carries out extra scans when it upgrades equipment or software.
The system offers advice on fixing the vulnerabilities and directs IT staff to relevant patches. It generates reports on the number and seriousness of the vulnerabilities found, which Travelodge is able to send to its bank to demonstrate it is complying with the PCI standards.
Fox said the system, which has replaced manual scanning, is saving IT staff between one and two days of work a month.
"You can look at all your systems and say, 'These are our vulnerabilities.' It consolidates all of the information, and you do not have to use different systems to find out what the vulnerabilities are," he said.
Travelodge scans 30 devices, using a software-based scanner for its external websites and an appliance-based scanner for its internal systems. "We are going well beyond the requirements for PCI," said Fox.
Travelodge is now planning to adopt a more advanced version of the scanner that will deliver compliance reports directly to its email@example.com
This was first published in November 2006