Wednesday, September 23, 2009
Why Do Bad Things Happen to PCI-Compliant Companies?
Caution: Just because your company has a payment card industry (PCI) compliance certificate, don't assume your data is perfectly safe and secure. You can still suffer a breach.
That's the lesson recently learned by retail clothing company Forever 21. Company officials posted a notice on the company's Web site last month telling customers of a data breach involving 98,000 credit cards. Forever 21 was PCI compliant at the time of the breach, according to a written statement the company released.
Being PCI compliant does not guarantee that a firm is immune from a breach. A recent study entitled "Cost of Compliance" disclosed that 95 percent of surveyed firms were not confident they would be safe from a data breach even if they were PCI compliant.
Two other store chains -- Hanover Foods and TJ Maxx -- offer further examples of PCI compliance shortfalls, though in the case of TJ Maxx, the store was in the process of achieving full compliance when the incident occurred. The list of companies with similar PCI complaint breaches grows larger all the time.
"A common theme I see is a tremendous amount of subjectivity is used in applying the PCI standards," Chris Konrad, senior vice president of client services for security and risk management firm Fortrex, told the E-Commerce Times.
Part of the problem is a lack of constant, vigilant oversight of one's compliance status, Konrad noted. A company can be PCI complaint today but fall out of compliance next week.
Another part is that qualified security assessors don't all perform the same way. Security auditors come from a variety of backgrounds. Some are from IT, others from engineering industry, according to Konrad.
"All QSAs (Qualified Security Assessors) take the same courses taught by the same instructors and pass the same exams. Yet you take 10 QSAs and will get 10 different interpretations of a rule," Konrad said.
Know What's Up
In data breach cases involving PCI-compliant companies, the firm itself is not necessarily the only entity responsible for what went wrong. PCI compliance is only as good as the efforts to maintain them.
"The key thing to understand is that it is an ecosystem. Each party plays a part in a game. You can't put all the blame on the retailers," Kim Singletary, director of retail and embedded systems for IT environmental control firm Solidcore, told The E-Commerce Times.
The key to preventing data breaches after reaching PCI compliance is knowing your infrastructure and what is changing, she said. Battening down the security landscape involves doing more than focusing on stolen laptops and hackers breaking into networks.
"Especially in the payment merchant field, much upgrading is needed. We need to rethink the viewpoint on what happens when the credit card hits the swipe machine," said Singletary. "There is no perimeter anymore when you assess security risk. All of that is degrading. Now there are too many points of connection."
Cases like those of Forever 21, Hanover Foods and TJ Maxx point to the shortcomings of the PCI certification process. However, in the absence of better security practices, PCI is better than no precaution at all.
"PCI is not a panacea. It is a guideline for better security. The implementation of the regulations is getting better and tighter," Mandeep Khera, chief marketing officer for Cenzic, told the E-Commerce Times.
The payment card industry will continue to see more cases of data breaches despite PCI compliance, he said. PCI assessments are not perfect, and the problem lies in their execution.
"We have a long way to go, but it is getting better," said Khera. "Previously, Web application security was totally ignored, as was WiFi security."
New Regs Helpful
The refinements to the PCI Standards 1.2 that went into effect Oct. 1 may or may not bring a reduction in data breaches, noted Konrad. The new regulations may help QSAs and company IT workers provide better monitoring of factors that change risk levels after PCI compliance is issued.
However, "What the end user needs to know is that once compliance is attained, anything new added to the mix changes that compliance qualification. For instance, if you add a new employee or add a server, or anything that changes the assessment can cause a non-compliant state," he explained.
A basic solution is for businesses to worry less about PCI compliance and concentrate more on their security, he said.
The cheapest security measure that an enterprise has is constant employee training and awareness of the circumstances, according to Konrad. Companies need a sound security and compliance policy adopted from the top down.
"It needs to be in the corporate DNA. In many cases it isn't. The fundamental problem is that corporations don't follow up," he said.
Singletary sees a degradation of the retail infrastructure at the root of compliance problems. Companies are not keeping up to date with technology, and the industry is moving at a pace that nobody understands, she said.
The real solutions are found in being able to do real-time monitoring and the ability to check out runtime events, Singletary said.
Ultimately, fewer data breaches may come as a result of consumer mandates. Retailers could start feeling their customers' pain if payment card processors do not go beyond the intent of PCI regulations.
"Lots of people have their head in the sand over this. Consumers need to be up in arms over this. These security lapses will cost taxpayers higher credit and processing costs when they do card transactions," Singletary said