 | |||
|
|
||
| |||
| |||
| |||
|
||||||||||||||||||||
| |
|
Home > CIO News > PCI compliance a good start, but not enough |
| |
|
|
|
|
| CIO News: |
|
||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|
||||||||||||||||||||||||||||||||||||||||||||||
The theft pales in comparison with last year's massive data breach at The TJX Cos. involving 94 million cardholders, but the Hannaford intrusion marked another worrisome milestone. The heist occurred when customer data was in transit, as opposed to in situ in a database -- the first known time that has happened on such a large scale. Even scarier, unlike an estimated 50% of retailers out there, the company was in compliance with the Payment Card Industry Data Security Standards (PCI DSS) established by the major credit card companies, including Visa Inc. and MasterCard Inc., to ensure the privacy of stored customer information.
"Visa is a bank, not an IT company. The notion that Visa should be telling retailers, particularly retail IT-ers, how to secure their information is really a bit silly," Rowan said. Visa, to its credit, was quick to identify the problem associated with the collection, retention and use of customer financial data by retailers, said Brian Kilcourse, managing partner at RSR and co-author with Rowen of "Customer Data Security, PCI and Beyond," a 2008 benchmark study of how retailers are approaching the PCI mandate. Retailers, however, are collecting all kinds of customer data to customize and fine-tune their product offerings and improve customer service. "PCI focuses exclusively on credit card payment data, but there is other stuff collected that is just as dangerous," Kilcourse said. "A good portion of the breaches are Social Security numbers. PCI has nothing to say about Social Security numbers." The point? Looking at PCI compliance as a "checkbox project is not enough," Kilcourse stressed. Security is a fluid process that requires proactive measures to minimize the risk associated with the capture and retention of customer data. Retailers who wish to tackle customer data security from a proactive standpoint "must successfully incorporate their payment-specific security measures into larger business initiatives." PCI pain points The most common mistake retailers make in becoming PCI compliant, Kilcourse said, is to "map their applications to the mandate." "Retailers will come up with to-do lists, so, for example, 'We have customer data in this application, therefore let's map it over the mandate,' as opposed to looking at all their applications through the lens of the mandate," Kilcourse said.
When Kilcourse and Rowen asked retailers to name the most difficult aspect of complying with PCI, the No. 1 hurdle cited by most was the ability to monitor access to the network. "There are so many points of data transmission in the network, they could not monitor them." In the case of the Hannaford breach, it is believed the credit and debit card numbers were stolen while in transit from the pin-pad device (where the card is swiped) back to the database -- a weak spot firms like RSR have been warning retailers about since before PCI was instituted. Retailers need to encrypt the data in all of its forms, not in its in-state form, Rowan said. "A lot of retailers cringe when you say this, because there are so many littler discreet handoffs of this data between Point A and Point B, that it can seem like a daunting task," Kilcourse said. Let us know what you think about the story; email: Linda Tucci, Senior News Writer
|
|
|
|||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||
|
|
About Us | Contact Us | For Advertisers | For Business Partners | Site Index | RSS |
|
|
||
|
|||||||
