Zaxby`s Licensee Finds Easier Route and Cost Savings
ZAXBY’S CASE STUDY
Relax. We got it.
Zaxby’s Licensee Finds Easier Route and Cost Savings
for PCI Compliance with Merchant Link TransactionVault
Zaxby’s, the popular Athens, Georgia-based fast casual restaurant, has experienced tremendous growth
as consumers have embraced its chicken and wings concept. It’s also benefited as consumers have
become much more willing to use credit cards for lower priced items in all settings (the average ticket
at Zaxby’s is $10-15). In fact, 35-50% of its revenue is now in the form of credit cards. Based on its
growth, the card associations recently classified it as a Level 2 merchant. This meant that the old ways
of ensuring PCI compliance were out-of-date – so finding a new POS system was a top priority for ZAX,
Inc., a licensee of Zaxby’s.
Level 2 requirements are stricter and failing a single one requirement will cause an organization to not
become compliant at all. “All of ZAX Inc.’s old systems were PCI compliant,” said Ehsan Choudhury, IT
operations manager for Zaxby’s Franchising Inc. “We had to be sure that whatever we did would keep
us compliant with the processor.”
The Merchant Link Solution:
Just like its focused commitment to controlled growth, ZAX, Inc. did not leave anything to chance in
evaluating solutions that would bring it to Level 2 PCI requirements. The Zaxby’s licensee group
selected the MICROS RES 4.1 integrated point-of-sale solution which included the Merchant Link
TransactionVaultTM data security module, but prior to implementing it, Choudhury wanted to
substantiate the technology process. He agreed that outsourcing cardholder data processing
storage made sense – a position recommended by noted research firms like Gartner and Javelin – but he
wanted to conduct an analysis himself in order to accurately gauge the ROI.
Fast-Casual prepared-atorder chicken fingers, wings,
sandwiches and salads
20% corporate stores
Integrated Point of Sale System
MICROS RES 4.1
ZAXBY’S CASE STUDY
Relax. We got it.
data is much less
expensive than dealing
with a security breach.
The Merchant Link Solution: continued...
Top PCI Audit Failures
Using traffic capture analysis and protocol analyzer
systems, Choudhury spent approximately 80 hours
conducting in-depth testing and screening. Few
companies have the in-house expertise needed to
conduct this sort of evaluation and outsourcing it to a
third party consulting firm could cost up to $200,000.
But for Choudhury, it was time well spent.
Choudhury quickly verified that cardholder data is communicated from the
POS terminal to the primary host in the back office, but not stored locally.
While CVV2 data (Card Verification Value 2) does travel over the network
infrastructure, it is encrypted and directly transported to one of two hosts
maintained by Merchant Link. There is no evidence of CVV2 data storage or
capture at the back office. This would address the top reason that companies
Req. 1 Req. 2 Req. 3 Req. 4 Req. 5 Req. 6 Req. 7 Req. 8 Req
Req. 9 Req. 10 Req. 11 Req. 12
Source: Ambiron TrustWave copyright 2007
* Data gathered from more than 250 card compromise investigations conducted by ATW
fail PCI assessments, the protection of stored data.
PCI Requirements Mitigated by TransactionVault
Additionally, Choudhury found the TransactionVault subscription for credit
1. Install and maintain a firewall configuration to protect data.
card transaction processing would mitigate the need for ZAX Inc. to
2. Do not use vendor-supplied defaults for system passwords
and security parameters.
comply with six of the 12 PCI-DSS compliance requirements. “The benefits of
TransactionVault make it very clear that this is something we should be
doing,” he said.
Requirement 10 requires daily review of audit trail and event
logs from all systems storing cardholder data. To achieve this would
require a technician spend10 minutes per day per location in daily
log/review analysis. ZAX Inc. calculated the annual cost of this
activity would be approximately $3,000 per location.
3. Protect stored data.
4. Encrypt transmission of cardholder data and sensitive
information across public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
For more information about
Merchant Link and its solutions
for the restaurant industry, contact:
10. Track and monitor all access to network resources
and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.