INTEROP: Knee-jerk standards compliance not enough for retailers

Even companies that do try to comply fully with PCI standards may not wind up secure.

Businesses certified to be compliant with the Payment Card Industry Data Security Standards (PCI DSS) keep suffering data breaches, but the problem may be more with the way businesses address the requirements than with the PCI standard, experts told an Interop gathering.

Retail chain Forever 21, which last week revealed that nearly 99,000 customer payment cards may have been compromised, claimed it was PCI compliant, said John Pironti, the chief information risk strategist for Getronics.

"They claim to be PCI compliant, Hannaford's [the supermarket chain that suffered a data breach claimed to be PCI compliant," said Pironti, who moderated an Interop panel on the subject of compliance.

But those firms may have restricted compliance auditors' access to areas where they thought they would meet standards, said Jennifer Mack, vice president of Master Card Worldwide and a member of the PCI Security Council.

The companies may have submitted their headquarters to review by a qualified security assessor (QSA) but not their retail stores, for example, Mack said. QSAs are also hindered by the fact that they can't require changes to meet compliance. "They recommend and they can't do much more than that," she said.

Even companies that do try to comply fully with the standards may not wind up secure, Pironti said. "Businesses are more interested in meeting a check list than assessing how best to secure their networks," he said.

Mack agreed that businesses also need to do risk assessments to make sure their networks are protected and that blind following of the standards hasn't left them vulnerable. But the standards are still important to get corporations to take security seriously. "If the check list weren't there, we probably wouldn't be thinking about some of these things. We have to pick the ones that fit us best," Mack said.

Jim Routh, CISO of Depository Trust Clearing Corp. which processes quadrillions of dollars of financial transactions each year, said each company has its own set of security priorities that need to be thought through. Knee-jerk compliance won't work.

Pironti said a client of his diverted funds from projects that he thought would make their network more secure in order to encrypt all customer data wherever it was in the network. The company thought the risk to other data was outweighed by the potential blow to corporate reputation if customer data were breached, he said.

The decision was prompted by data-breach disclosure laws that say breaches must be publicly disclosed only if the data was unencrypted when it was stolen. "Maybe compliance has gone too far when companies need a foot to stand on in the court of public opinion," Pironti said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags PCI

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Tim Greene

Tim Greene

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?