Calumet Photographic, Milton Keynes, UK
Embedded Cisco security project to assist in PCI Compliance

The Challenge: Calumet, as a retailer, had a business requirement and commitment to confirm to the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security issues. A company processing card payments must be PCI compliant or they risk losing the ability to process credit card payments.
The PCI reflects the combined interests of VISA, MasterCard, Discover, American Express, and JCB. These five credit card brands have agreed upon a common set of security standards which forms the PCI DSS.

Calumet approached Nettitude to assist them in a network redesign that would confirm to the PCI DSS.

The Solution: PCI DSS defines a stringent set of IT related security requirements that are mandatory for companies that store credit card data. This includes logging of all access into servers that store the data, and restricting access to them through firewalls.

Nettitude redesigned Calumet’s internal LAN to incorporate Virtual LAN (VLAN) technology and dual Cisco Adaptive Security Appliance (ASA) 5520 firewalls to protect and log all access to the servers that stored credit card data. Initially, all access through the firewall was logged to a central console with no access controls being defined. After a few weeks, this data was reviewed and analyzed and used to create the firewall’s access controls that restricted which devices and applications could communicate with them. All access through the firewalls was continued to be logged for audit purposes.

VLANs were implemented by making use of Calumet’s existing investment into Cisco Catalyst switches. Each different type of network device (users, servers, printers, wireless) is now contained within its own VLAN.

The Benefits: All access to the PCI Servers now must transit the Cisco ASA firewalls. This allows both access controls to be implemented that restricts which devices and applications can communicate with them, and also logs all such communications for audit purposes. This new infrastructure has been designed by Nettitude to merge into the existing environment as smoothly as possible to reduce impact on end users. Following its implementation, Calumet could demonstrate that their networking infrastructure conformed to the PCI DSS.

Background to Calumet: In 1939, Kenneth Becker formed Calumet Manufacturing Company in Chicago. In 1980, after 40 years of manufacturing and selling its mostly large-format proprietary product lines, Calumet became a full-line supplier of professional photographic products. The result was the first photo supply catalog for photography enthusiasts.

With the uniting of Calumet Photographic in the United States and ‘Keith, Johnson and Pelling’, a retail chain in the United Kingdom; Calumet expanded in to the Netherlands, Belgium and Germany. The company developed a global focus. This global focus expanded further in 1998, when Calumet launched its website and moved the company into the digital age. Almost 70 years in the business, Calumet continues to grow, adding products and services to our stores and warehouses every day. Currently, Calumet has more than 30 retail stores across the world.