INTEROP: Knee-jerk standards compliance not enough for retailers

Even companies that do try to comply fully with PCI standards may not wind up secure.

Businesses certified to be compliant with the Payment Card Industry Data Security Standards (PCI DSS) keep suffering data breaches, but the problem may be more with the way businesses address the requirements than with the PCI standard, experts told an Interop gathering.

Retail chain Forever 21, which last week revealed that nearly 99,000 customer payment cards may have been compromised, claimed it was PCI compliant, said John Pironti, the chief information risk strategist for Getronics.

"They claim to be PCI compliant, Hannaford's [the supermarket chain that suffered a data breach claimed to be PCI compliant," said Pironti, who moderated an Interop panel on the subject of compliance.

But those firms may have restricted compliance auditors' access to areas where they thought they would meet standards, said Jennifer Mack, vice president of Master Card Worldwide and a member of the PCI Security Council.

The companies may have submitted their headquarters to review by a qualified security assessor (QSA) but not their retail stores, for example, Mack said. QSAs are also hindered by the fact that they can't require changes to meet compliance. "They recommend and they can't do much more than that," she said.

Even companies that do try to comply fully with the standards may not wind up secure, Pironti said. "Businesses are more interested in meeting a check list than assessing how best to secure their networks," he said.

Mack agreed that businesses also need to do risk assessments to make sure their networks are protected and that blind following of the standards hasn't left them vulnerable. But the standards are still important to get corporations to take security seriously. "If the check list weren't there, we probably wouldn't be thinking about some of these things. We have to pick the ones that fit us best," Mack said.

Jim Routh, CISO of Depository Trust Clearing Corp. which processes quadrillions of dollars of financial transactions each year, said each company has its own set of security priorities that need to be thought through. Knee-jerk compliance won't work.

Pironti said a client of his diverted funds from projects that he thought would make their network more secure in order to encrypt all customer data wherever it was in the network. The company thought the risk to other data was outweighed by the potential blow to corporate reputation if customer data were breached, he said.

The decision was prompted by data-breach disclosure laws that say breaches must be publicly disclosed only if the data was unencrypted when it was stolen. "Maybe compliance has gone too far when companies need a foot to stand on in the court of public opinion," Pironti said.

Join the PC World newsletter!

Error: Please check your email address.

Tags PCI

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?