BUSINESS: McDonald's is the world's leading food-service retailer, with more than 30,000 local neighborhood restaurants in more than 100 countries. Approximately 70 percent of McDonald’s restaurants worldwide are owned and operated locally by independent men and women.
SCOPE: International, 30,000+ restaurants in 127 countries
SIZE: 45,000 employees; 1,084 restaurants
BUSINESS CHALLENGE: McDonald's France, a subsidiary of McDonald's Corp., needed a way to automate its vulnerability assessments to make certain they're in continuous compliance with internal security policies, as well as such regulations as Sarbanes-Oxley and the Payment Card Industry Data Security Standard.
SOLUTION: McDonald's France turned to Qualys’ on demand Web service appliance to automatically identify and more effectively mitigate system vulnerabilities and misconfigurations.
You can't talk grande cuisine without French food entering the conversation. Now, McDonald's France is showing the world a thing or two about how to dine quickly and conveniently. The subsidiary of the $20.5 billion McDonald’s Corporation—the #1 quality service restaurant provider with more than 30,000 restaurants around the world—designs and builds its restaurants to blend with the surrounding architecture. "The French people not only love traditional French food, we also love convenience," says Wilfried Delcambre, manager of infrastructure for IT at McDonald's.
While its customers appreciate the stylish restaurant interiors and free Wi-Fi Internet access, they don't see the behind-the-scenes operation the company has in place to make certain their credit card information, as well as its own financial and proprietary information, all are kept safe. A big part of this effort is making sure its operating systems, applications, and servers are protected against the latest software vulnerabilities and other misconfigurations that could jeopardize its security and regulatory compliance. As an NYSE publicly traded company (SYMBOL MCD), McDonald's must continuously make certain that it is operating in compliance with the Sarbanes-Oxley Act of 2002 (SOX). Passed in the spirit of financial reporting transparency and integrity for publicly traded companies, SOX seeks to ensure that corporate executives are held more responsible for their company’s financial statements.
Why McDonald's France chose Qualys:
The risks to security and regulatory compliance efforts are increasing. Security managers face an accelerating pace of newfound vulnerabilities. According to the CERT Coordination Center, there were 3,780 vulnerabilities reported in 2004—and that number more than doubled to 8,064 in 2006. "You have to consistently monitor your systems to mitigate problems. It's a process that never stops," explains Delcambre. Any unpatched or misconfigured systems could represent a deficiency in the control over financial systems required by SOX Section 404, as well as the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS dictates security controls surrounding the processing and managing of credit card information and transactions. These mandates, along with other government and industry regulations, require that systems not only be secured, but that security be demonstrated to government and industry regulators.
With an enhanced way of achieving those aims in mind, McDonald's France sought a way to automate many of the processes associated with vulnerability risk management: system discovery, vulnerability identification, and remediation. That's when Delcambre explains how an IT advisor recommended Qualys. Qualys enables the company to streamline control of its entire vulnerability management life cycle—asset discovery, vulnerability assessment, security fix tracking—and meet federal and internal policy regulations. The on demand solution, fully managed by Qualys, is delivered as a Web service and requires no software or costly infrastructure to deploy.
"We needed external and internal reviews of our security. That's what Qualys does for us exceptionally well. It helps us to identify, remedy, and track our vulnerabilities," says Delcambre. In addition, Qualys’ ability to automate scans makes it possible for McDonald's to run these evaluations every week. "Through Qualys, we have a detailed look at our entire infrastructure from the inside, as well as an exposed view of our systems from the outside."
That ability, says Delcambre, helps the company not only achieve security, but demonstrate how its system patches are up to date to regulators. "Qualys is an important part of our compliance efforts," says Delcambre.
With that success, McDonald's France is now turning to Qualys PCI to help it substantiate the security of its credit card transactions and compliance with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS, established by all the major credit card companies, is designed to make certain that merchants maintain the level of security necessary to adequately protect credit card transactions and data. The standard puts forth twelve security requirements, including network firewall installation, encrypting cardholder data as it travels, strict authentication and authorization tracking, and maintaining a thorough vulnerability management program. There are stiff non-compliance penalties. Merchants that fail to meet compliance, or suffer a breach, can be barred altogether from processing credit card transactions, face higher processing fees, and suffer fines of up to $500,000 for each instance of non-compliance.
“Qualys enables us to automate our internal and external vulnerability audits. We get a concise report of how both insiders and outsiders can view our systems, so we always can know how our systems are in compliance with our internal policies as well as regulations.”
Systems & Security Manager, McDonald's France
"We're piloting Qualys PCI to help us streamline with the forms, required reporting, and to validate that we have everything in place for PCI compliance," explains Delcambre.
Just as with all of Qualys’ on demand security solutions, there is nothing to install or deploy, and no hidden overhead. Qualys PCI provides companies a way to streamline PCI-required questionnaires and vulnerability assessments, and creates the required validation report that can be automatically submitted to an online retailer's acquiring bank. "We're looking to Qualys PCI to save us time and make our PCI compliance efforts more efficient," he says.
While Qualys’ ability to automate many aspects associated with vulnerability management, to save time, and to increase McDonald's France's IT team’s efficiency, Delcambre most appreciates the continuously increased levels of security that Qualys provides. "Your systems can be really secured, both inside and out, but if you have a single misconfiguration in your firewall, you can be exposed to too much risk. That, and many other types of risks, is the type of thing Qualys finds for us."