February 10, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Peter Schooff
Peter Twenty-Four Seven Security
 Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

« Will IBM Transform Security? | Main | Podcast with IBM on Their End-to-End Security Solution »

November 05, 2007
Is PCI to Blame for TJX?

As more and more companies scramble to comply with PCI, I think a good question to ask right now is, exactly how compliant was TJX before their massive data breach? Or, to put it another way, What's the point of struggling to get PCI compliant if it's simply going to result in another data breach like TJX?

According to Search Security, some recent disclosures from TJX court documents actually show that the retail giant FAILED 9 out of the 12 PCI DSS requirements covering encryption, access controls, and firewalls. Penalties for failing to comply can add up to as much as $500,000 and also include increased auditing requirements along with losing the ability to process credit cards altogether.

So should PCI be weakened in order to make it easier for companies to comply? "Looking at the 12 requirements [of PCI DSS], I have to wonder how could you make them any more lax than they are," said Keith Gosselin, IT officer for Biddeford Savings Bank in Maine. "These are the simplest of best practices. As a CIO, CEO or CFO, why would you not want your company to meet these requirements?"

Some companies have actually started pushing back, saying that PCI is simply too strict. "Companies have gotten over the scare from Enron and WorldCom and are starting to push back on these regulations and say 'hey, this is costing us too much money,'" he said. "You look at PCI DSS and there is nothing illogical about what's required. But if a company can get the rules lessened, that's what they're going to try and do."

The question is, though, once TJX was found to be in violation of 9 of the PCI rules, how come those problems weren't immediatly fixed? Very simply because of lax auditing. Apparently, TJX passed a PCI DSS check-up, but some key problems were either missed or totally overlooked. "They had no network monitoring and no logs, and they had unencrypted data," an auditor who asked not to be identified said. "But this wasn't picked up by the auditor. They passed the Level 1 inspection and shouldn't have."

It also bears mentioning that TJX's problems go much deeper than simple PCI compliance, as TJX should also be used as a textbook case study in how not use wireless networks.

So what's to be learned: Ignoring PCI and accepted best practices for protecting credit card data is like ignoring the dentist for a bad tooth...it only gets worse.

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2830

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
Subscribe
News Feed
Recent Posts
Categories
Archives
Blog Roll
Blogosphere
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
Your E-mail Address:
BAM: The Killer App for CEP
Date: Feb 12, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Event Processing Market Pulse
Date: Feb 14, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map