Heron Foods ensures PCI DSS compliance with Sec-1

Founded in 1979, Heron Foods is one of the leading discount food retailers in the UK, with over 250 outlets located throughout Northern England and the Midlands. It primarily sells frozen food, but also offers a wide range of dry and chilled stock from named brands as well as several lines under its own brand.

The company, which currently employs 2,500 staff, was acquired by B&M in August 2017 and has ambitious growth plans as it seeks to seize market share and capitalise on new trends and opportunities in the retail space.

The challenge

Heron Foods’ growing presence in the market meant that the company had seen a large influx of card transactions over the past three years, and was looking to update its credit card handling procedures. At the time, financial details were held by the in-house finance team, though as Heron Foods grew each year, they became aware that they would need to re-examine how they handled cardholder information to ensure that it remained compliant with PCI DSS (Payment Card Industry Data Security Standard).

PCI DSS is the standard related to the storing, processing and transmitting of payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe. Although all merchants must comply, those that process over 6 million transactions a year are subject to the highest level of scrutiny and must submit to audits from qualified security assessors.

With this 6 million transaction benchmark on the horizon, Heron Foods were keen to ensure that it could declare itself to be PCI DSS compliant, which would involve a complete overhaul of how Heron Foods managed cardholder details and require a fresh approach to staff training.

Alex Baines, Infrastructure Manager at Heron Foods, explained the security and compliance element: “Heron Foods deals with millions of card transactions a year and as a responsible retailer, we have a duty of care to make sure the information we process is secure and we’re PCI DSS compliant. Once we exceed 6 million card transactions a year, the onus is on us to explain to auditors how our customers’ details are exchanged so we needed to evolve our processes.

The challenge is that PCI DSS sets a high bar and is quite a complex standard, so we needed to work alongside a company that had deep expertise in PCI DSS compliance and could tailor this knowledge to our requirements.

The solution

Heron Foods set about finding an experienced partner to help tighten up their procedures, and enlisted the help of security specialist Sec-1, a Claranet Group company, to get them compliant with PCI DSS.

Sec-1 took the time to fully understand the company’s requirements, utilising their extensive security proficiency to devise the solution and assist Heron Foods in becoming PCI DSS compliant. Sec-1 also conducted an in-depth audit of practices to ensure processes were fully compliant across all stores and employees.

Importantly, Sec-1 recommended point-to-point encryption (P2PE) be implemented in Heron Foods’ pin machines, which ensures that card info is encrypted as soon as the user puts a card into the machine, meaning that the only business privy to the card details will be the P2PE Solution Provider.

Alex continued:

Sec-1 brought in a fresh set of eyes to help us understand the regulation and tell us what needed to happen in store and at head office. The beauty of a P2PE solution is that it removes a lot of the compliance aspects of PCI DSS on the technology side of things.

The result

One of the most important benefits of Sec-1’s work has been to enable Heron Foods to be prepared for future audits, especially when their card transactions exceed the 6 million mark. From this, a new compliance-focused ethos spread across the company.

Alex commented: “Sec-1 immediately understood our needs and how we wished to progress. Our knowledge of cardholder data, security, and sensitive data overall was weak. However, since Sec-1 helped us out, we are training our staff to learn that credit card data is information that we don’t want or need to store. We have dramatically reduced our exposure to customer data with the implementation of P2PE encryption, so that all our customers’ information is safe. A major benefit of the whole project is that we are in a much better position to satisfy the demands of the GDPR as there’s considerable overlap with PCI DSS.”

“We hold regular PCI awareness meetings with staff to make sure we’re implementing the necessary changes required by the standard. Sec-1 provided a level of engagement with the business in a way that’s enabled us to achieve compliance in a way that maximises security for both customers and the business alike and given us peace of mind. As a business that relies heavily on card transactions, this is vital,” Alex concluded.