Fairplay Finer Foods is an independent grocery retailer that operates in the greater
Chicago area. From its beginning, Fairplay’s mission has been to provide quality foods
at an affordable price along with exceptional customer service. Starting with a single
store in 1975, Fairplay has since grown to seven locations. The opening of each new
store led to increased sales and attracted new customers; however, expansion also
raised new information system needs as well as information security risks.
Due to its size, it was not practical for Fairplay to create and run its own information
systems organization, so it contracted with KCS Computer Technology, Inc., to provide
these services along with the necessary computer hardware and systems. One of KCS’s
key accomplishments for Fairplay was to implement and manage a corporate network
that the grocery chain uses to run applications and communicate across all of its stores.
Another important area of focus for KCS involved helping Fairplay manage issues
related to the Payment Card Industry Data Security Standard (PCI DSS). Retailers
accepting credit cards and other forms of electronic payment are required to comply with
the PCI DSS. The PCI DSS standard ensures that businesses follow best practices for
protecting their customers’ payment card information. A strong desire to ensure
Book Title: eTextbook: Fundamentals of Information Systems
Chapter 9. Cybercrime and Information System Security
Case Studies
Case Studies 6/21/22, 1:08 PM
https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_09_closer_10.html Page 2 of 8
compliance with the PCI DSS standard and concern over potential network security
issues led Fairplay and KCS to seek out a managed security service provider (MSSP).
After a thorough investigation, Fairplay and KCS selected ControlScan, an MSSP
headquartered in Atlanta, based on its simple pricing model, stable of certified security
experts, advanced technology, and solid reputation. As part of its contract with Fairplay,
ControlScan agreed to serve as an extension of KCS, delivering cloud-based security
technologies and related security support services, including:
Installing, configuring, and monitoring a system of next-generation firewalls
Investigating, responding to, and reporting on security-related events
Providing network usage reports for insights into company resource utilization
Upgrading the network on an ongoing basis by implementing the latest security
enhancements
Providing expertise to reduce network complexity and contain network-related
costs
ControlScan’s initial action was to install next-generation firewall appliances to protect
each of Fairplay’s locations. This work was completed overnight in a single night to
minimize business disruption. ControlScan then conducted a thorough PCI gap analysis
to compare current Fairplay security controls with those required by the PCI DSS.
ControlScan developed a detailed set of recommendations and options for eliminating
the gaps; thus, giving Fairplay management a roadmap to achieve full PCI DSS
compliance. Finally, ControlScan did a full review of all of Fairplay’s existing information
Case Studies 6/21/22, 1:08 PM
https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_09_closer_10.html Page 3 of 8
systems and security policies, working with the chain’s IS staff to tweak and customize
policies where necessary.
Critical Thinking Questions

1. What advantages does use of an MSSP offer a small retailer like Fairplay? Can you think of
   any potential drawbacks of this approach? Is there a danger in placing too much trust in the
   use of an MSSP? Explain?
2. Data breaches at major retailers, such as Neiman Marcus, Target, and others, in recent years
   have shown that compliance with the Payment Card Industry Data Security Standard (PCI
   DSS) is no guarantee against an intrusion (see Vijayan, Jaikumar, “After Target, Neiman
   Marcus Breaches, Does PCI Compliance Mean Anything?,” ComputerWorld, January 24,
   2014). If you were a member of Fairplay’s management team, what additional actions would
   you take to ensure your customer’s credit card data is not stolen?
3. Do research on the Web to gain insight into the evolution of the PCI DSS standard. What
   major changes were made in moving from PCI 2.0 to PCI 3.0? What changes are being
   suggested for future versions of the PCI standard?