Secure, Compliant, and Delicious

Restaurant chain Bertucci’s moved proactively to protect its sensitive data and ensure compliance with reporting requirements. Senior IT Director Kevin Quinlan explains how the Northboro, Mass., company deployed technology and processes to safeguard its data and to ensure that Bertucci’s is compliant with government- and industry-imposed regulations.


With 94 family restaurants stretching from New England to Virginia, Bertucci’s is a mainstay up and down the Eastern Seaboard. The company processes more than 3.7 million credit card transactions annually; employs 6,000 people; and maintains an IT infrastructure spread across more than 350 server nodes, including a mix of point-of-sale systems and both virtual and physical servers. 

A major part of my job as senior director of IT is to ensure that the right technology and processes are in place to protect all our sensitive data—including customer financial data generated by all those credit card transactions and our own intellectual property and employee information. My other, and equally critical, responsibility is to make sure Bertucci’s is—and continues to be—compliant with government- and industry-imposed regulations.

The importance of security and compliance can’t be overstated: A failure to adequately address these two issues could have a devastating impact on our organization. The Ponemon Institute recently estimated the cost of noncompliance with regulatory mandates to be $9.4 million. Although it’s harder to estimate the cost of inadequate security, the impact of data breaches in terms of revenue loss
and reputation damage has been widely chronicled. 

So, needless to say, I took a deliberate approach to strengthening our security and compliance initiatives. The first step for me and my team, which consists of three full-time IT administrators, was to assess the challenges we faced.


The Challenge

An organization that processes credit card transactions as frequently as Bertucci’s is considered a Level Two merchant, according to the Payment Card Industry Data Security Standard (PCI DSS). To comply with the PCI standard, Level Two merchants need to track changes, create audit trails, and archive any and all issues that have been investigated and resolved. This is a critical step, especially when you consider that according to the most recent Verizon Data Breach Investigations Report, 89 percent of organizations suffering payment card breaches had not been validated as PCI DSS compliant at the time of the breach.

We also must protect our database and its key information; monitor systems for qualifying new users and changes to permissions; and ensure that only authorized individuals can access sys-tems containing sensitive information such as payroll, benefits and accounting data. And because many Bertucci’s restaurants are located in Massachusetts, we must comply with MA 201 CMR 17. This regulation man-dates strong controls to protect personally identifiable information and breach notifi-cations for state residents.