As more clients use credit and loyalty cards during their salon visits, Regis Salons is managing more personal data than ever before. This also prompted the company’s move to protect this sensitive information as it travels over its communications network.
Minneapolis-based Regis Salons, which is owned by Regis Corp., has more than 9,500 salons (6,500 salons are corporate-owned) across North America. The company clipped its way to $2.62 billion in sales for its fiscal year 2006, which ended in June.
Regis is eyeing opportunities presented by more Internet-based connectivity available through public networks, yet the company currently operates its network with “old-fashioned asynchronous dialup,” Bernie Rominski, IT security officer, told Chain Store Age.
Since the company is not likely to switch its infrastructure in the near future, according to Rominski, Regis did want to further protect its existing network—and a new flow of incoming customer information.
For example, approximately a year ago the chain launched a loyalty program. The proliferation of credit-card usage at salons is also impacting the company.
Besides having no encryption capabilities in place, Regis’ dial-up networks “had weaker security controls than we wanted,” he explained. “This became more of an issue as card information is leveraged by our back-end systems.”
Once credit-card information is collected at the point of sale and transmitted to a corporate database, for example, Regis’ loss-prevention system will analyze transactions to detect incidents of credit-card fraud or misuse across its enterprise.
Even though the company truncated all but the last four digits of a credit card, “We found that truncated card numbers resulted in too many false matches,” Rominski said. “We needed a way to perform this analysis using unique identifiers in place of account numbers. This would improve the accuracy of our reporting and still protect the customer’s credit-card information.”
And efforts couldn’t start soon enough. In late 2005 and early 2006, information breaches were becoming a common occurrence across the retail industry, and mandates, including the PCI (Payment Card Industry) requirement, were steadily being announced.
“Due to the risks, we started searching for a solution that would limit the exposure of our sensitive data and reduce the risk of potential incidents,” he noted.
In spring 2006, the company canvassed the marketplace for a solution that would support secure communications and data encryption. The solution also had to integrate with Regis’ IBM-based iSeries platform, a family of mid-range servers that runs a variety of operating systems.
By choosing a solution from Atlanta-based nuBridges, Regis can run secure transactions without leaving private keys and data vulnerable to hackers.
Regis began adding the solution in October. Its first task was to convert workstation payment applications. “This application collects customer information at the point of sale and transmits data to the back end,” he said.
Next, the team converted peripheral applications that are linked to the sales database. “This included solutions like customer relations that enable associates to look up transactions, or resolve customer complaints, discrepancies or refunds,” he said.
Now as customers pay with a credit card, information is encrypted as the transaction is input to the POS. Regis polls its stores each evening, and iSeries delivers data to the centralized database. Here, nuBridges analyzes the ciphertext to retrieve the correct secret-encryption keys to decrypt the data.
“At that point, the credit-card information is re-encrypted, and nuBridges supplies the safe index number we use to feed the subordinate systems. This limits the storage of actual account numbers in that single location,” Rominski reported.
Regis is still piloting applications and planning its store-level deployment. To date, POS units at 1,000 locations are prepared for the upcoming PCI mandate, and the solution should be live enterprise-wide by the end of the year.
Judge revokes LeNature, Giant Eagle deal
PITTSBURGH The LeNature bottling facility in Latrobe, Pa. will go to Cadbury Schweppes Bottling Group Inc. instead of Giant Eagle Inc., following a federal bankruptcy court decision that Giant Eagle acted in poor faith throughout the bidding process for the plant.
Bankruptcy court judge M. Bruce McCullough ruled that Giant Eagle behaved in bad taste during the process, by threatening not to carry 15 Cadbury Schweppes soft drinks, teas, and bottled waters at its stores.
Although the judge awarded the plant to Cadbury Schweppes for $19 million, the company said that it no longer wanted the plant, and according to reports, Giant Eagle plans to appeal the decision.
LeNature was forced into Chapter 7 bankruptcy (later Chapter 11) last November after a former ceo was found to have inflated sales figures for 2005.
BJ’s veteran promoted to chief marketer
NATTICK, Mass. BJ’s Wholesale Club has promoted Edward Gillooly to the new position of evp, chief marketing officer. Gillooly was most recently serving as senior vp, director of marketing.
Gillooly joined BJ’s in 1991 as assistant vp, marketing director. In 1992, he became vp of the marketing department. In September 2002, he retired from the company. In January 2007, he came back to BJ’s to head its marketing department.