7-Eleven takes security seriously

Convenience chain deploys Wi-Fi-enabled inventory management system

Industry analysis by expert Joanie Wexler, plus links to the day's wireless news headlines

A chain of independent 7-Eleven convenience stores in central Oklahoma has completed a highly distributed Wi-Fi rollout to support a new inventory management system. Starting the wireless project from scratch has allowed the company to fully embrace wireless Payment Card Industry Data Security Standard (PCI DSS) mandates.

The 102-store retailer - owned and managed separately from the nationwide 7-Eleven chain - recently deployed a Retalix inventory control system to automatically track and reorder products for each store. To support it, 7-Eleven installed Aerohive 802.11a/b/g wireless LANs and LXE MX7 barcode-scanning handsets in February, says Mike Mattice, senior systems programmer and integrator at the company.

In-store personnel scan inventory with the Wi-Fi Protected Access (WPA) 2-capable LXE handsets, which forward the data over 802.11b or 802.11g to an Aerohive HiveAP (usually one per store). HiveAPs also contain controller functions, alleviating dependence on separate controllers, a cost and management consideration for highly distributed enterprises such as retailers and financial institutions. The HiveAPs communicate with a Retalix host in the company’s data center using a VPN service from the local cable company, Mattice says.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A chain of independent 7-Eleven convenience stores in central Oklahoma has completed a highly distributed Wi-Fi rollout to support a new inventory management system. Starting the wireless project from scratch has allowed the company to fully embrace wireless Payment Card Industry Data Security Standard (PCI DSS) mandates.

The 102-store retailer - owned and managed separately from the nationwide 7-Eleven chain - recently deployed a Retalix inventory control system to automatically track and reorder products for each store. To support it, 7-Eleven installed Aerohive 802.11a/b/g wireless LANs and LXE MX7 barcode-scanning handsets in February, says Mike Mattice, senior systems programmer and integrator at the company.

In-store personnel scan inventory with the Wi-Fi Protected Access (WPA) 2-capable LXE handsets, which forward the data over 802.11b or 802.11g to an Aerohive HiveAP (usually one per store). HiveAPs also contain controller functions, alleviating dependence on separate controllers, a cost and management consideration for highly distributed enterprises such as retailers and financial institutions. The HiveAPs communicate with a Retalix host in the company’s data center using a VPN service from the local cable company, Mattice says.

Start-up Aerohive’s HiveAPs are representative of newer WLAN architectures, which are swinging back from being centralized to at least somewhat distributed to match traffic patterns and ease bottlenecks. HiveAPs, for one, operate much like a mesh router network, albeit over the airwaves instead of copper wiring. They use special control protocols to discover one another, exchange state and best-path information and locally forward traffic. Central IT staff, however, handle AP provisioning, configuration and policy-setting at a management console in the company’s data center.

A stateful packet-inspection firewall embedded in the HiveAP limits 7-Eleven employees to accessing just the Retalix application server, which resides behind its own data center firewall, as well, explains Mattice. Firewall segregation is one of the PCI DSS mandates.

PCI DSS also requires encrypting credit cardholder data in wireless networks using WPA2, IPSec, or SSL. Though 7-Eleven isn’t wirelessly transmitting credit card information at this juncture, it is using the WPA2 capabilities in the Aerohive infrastructure equipment and LXE handsets to protect data.

In many other retail stores, handheld scanning devices are the weak link in the security chain. The reason is that many stores have had barcode scanners in place for years, if not decades, that were built long before Wi-Fi caught on as a mainstream technology. In small isolated pockets of deployment, WLANs weren’t much of a security threat until recent years, when people gained the proper equipment and expertise needed to penetrate corporate networks via an airlink.

Now, of course, the picture is very different. But many retailers operate on such narrow margins that it is hard for them to justify new scanners when the old ones are working fine. And many legacy devices run on old operating systems such as DOS or don’t have enough memory to be upgraded to the newer enterprise-grade WPA2, a.k.a. 802.11i, which includes Advanced Encryption System (AES) encryption and an 802.1x authentication framework and related protocols.

Joanie Wexler is an independent networking technology writer/editor in Silicon Valley.