Pizza Hut staff acquire a taste for tokenless network access identification: PCI compliance ensured using two-factor authentication
The American Pizza Hut chain of restaurants has more than 12,000 branches worldwide. Pizza hut now have over 12,000 global restaurants and over 6,000 in USA alone. In the 700 branches in the UK, orders amounting to more than 1.1 million euros passing through the online ordering system each week. The stored payment details are protected in accordance with the PCI DSS (Payment Card Industry Data Security Standard) compliance requirements. These stipulate that the internal system login at Pizza Hut must not be secured by a password alone. The managers therefore installed the tokenless two-factor authentication solution SecurAccess from SecurEnvoy. This sends a text message to the mobile phone of the employee containing a numerical code, which he or she then enters in addition to a password.
In order to ensure that Pizza Hut’s online ordering system operates smoothly, a stable website and secure payment processes are required. With regard to payment processing, the restaurant giant is subject to the Payment Card Industry Data Security Standard – PCI DSS for short. This regulation stipulates inter alia the need for highly secure access to networks that contain sensitive information about credit card payments. In particular for employees who remotely access such a network, logging in using only a password is not allowed. For around 200 British Pizza Hut employees who work from their laptops, this means that a second authentication factor must be used.
Using mobile phones as keys:
Having reviewed the systems available on the market, the management opted for the tokenless two-factor authentication solution SecurAccess. This works without the need for additional, dedicated hardware tokens. Instead, it uses the mobile phone of the employee: when the user wants to log in to the Pizza Hut network, he or she receives a six digit numeric code via text message. This is entered together with the user’s personal login information in order to ensure unambiguous identification. The code is valid only once and expires immediately once it has been entered. The user receives new codes for each subsequent login.
“We compared numerous systems, including solutions such as plastic tokens that generate a random password,” explains Fawad Shah of Pizza Hut. “We decided in the end to go with SecurAccess because it makes use of mobile phones, which almost everyone owns and carries with them at all times anyway. In addition, the passcode transmission via SMS is the cheapest and most efficient way for us to ensure PCI DSS compliance. Our staff who work with laptops can now log in securely, even if at first there was some scepticism about the solution. But on using SecurAccess to log in for the first time, staff members discovered that this way of safeguarding access is very easy and efficient”.
Category: Industry News