The marketing team at Chuck E. Cheese had an idea: They wanted to place laptops on the counters so people could come in and book birthday parties right in the facility.
But even adding one Chromebook changes CEC Entertainment’s security picture, and gets Chief Information Security Officer Nathan Hunstable thinking what he usually does when someone wants to introduce a new game card, tablet, or video-capturing wireless device: Let’s slow down a bit.
“Giving people a computer where they’re typing their information in and they’re putting in credit card data” changes the company’s obligations to industry standards like the Payment Card Industry Data Security Standard (PCI DSS), Hunstable told us.
As CISO since July 2024, Hunstable has to be a bit of a “downer”—not exactly ruining everyone’s good time in the ballpit, just making sure everyone walks, not runs, through the arcade of possibilities. Hunstable must consider the serious security stakes in a place that also includes trampolines and a giant mouse.
“I’m stuck in the middle of one side of the company’s thought process of ‘innovate,’ and ‘push the boundaries’ and ‘get it out there as fast as possible.’ And then there’s the CISO side where I have to say, ‘Alright, we can do all that, but understand all these risks…Let’s slow down,’” Hunstable told us.
Meet the team. Hunstable’s teams install and secure infrastructure, networks, and any ideas the company wants in its nearly 600 locations. Each Chuck E. Cheese facility has as many as 160 wireless devices in one building, Hunstable said, including game cards, tablets, payment devices, and maybe someday a laptop on the counter for birthday-party booking.
To reduce exposure points in the cardholder data environment (CDE), the PCI DSS “strongly recommends” the cardholder data environment be on its own segmented network, with its own set of security policies and network controls.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
That means putting devices on an island, using technologies like Cisco Meraki to define specific policies. Rules like: This laptop (with a specific network, operating system, and MAC address range) can only access the Chuck E. Cheese website.
Movie night! Hunstable’s experience with network segmentation began in 2002 at a multiscreen theater in Texas called the Movie Tavern, a place he swept up many-a-popcorn-kernel years earlier. He lacked computer skills, he remembers telling the owners, but he learned on the job and gradually configured corporate office computers, theater point-of-sale systems, and networks.
The IT infrastructure across a movie theater and a Chuck E. Cheese is almost identical, he said. Both environments have point-of-sale devices, a guest wireless network, a gaming network, and a network for management. VLANs, or virtual local area networks, allow for the creation of virtual subnetworks to separate and segment the different groups.
“There’s a lot going on in these networks, because you’ve got so many different vendors that are doing separate things,” he said.
Slow go. Covid kept customers home and ultimately led to the company filing for bankruptcy in June 2020.
CEO David McKillips spoke with CNBC’s The Exchange recently about the company’s bounceback, including a new, growing subscription model for customers. He mentioned the importance of “catering to a new generation of kids consuming entertainment in different ways.” Hunstable agrees.
“Every kid has a PlayStation, an Xbox, an Oculus, or whatever it is, and so we’re always trying to push the limits of what we can do in our store,” Hunstable said.
And that means being a downer sometimes, or at least a slow-downer—offering security briefs to execs and board members and then making sure the tech runs.
“We’re in 18 countries worldwide right now. That’s a tremendous upside for global expansion,” McKillips said on CNBC.
Global expansion, some hope, but slowly.