INTEROP: Knee-jerk standards compliance not enough for retailers

Even companies that do try to comply fully with PCI standards may not wind up secure.

Businesses certified to be compliant with the Payment Card Industry Data Security Standards (PCI DSS) keep suffering data breaches, but the problem may be more with the way businesses address the requirements than with the PCI standard, experts told an Interop gathering.

Retail chain Forever 21, which last week revealed that nearly 99,000 customer payment cards may have been compromised, claimed it was PCI compliant, said John Pironti, the chief information risk strategist for Getronics.

"They claim to be PCI compliant, Hannaford's [the supermarket chain that suffered a data breach claimed to be PCI compliant," said Pironti, who moderated an Interop panel on the subject of compliance.

But those firms may have restricted compliance auditors' access to areas where they thought they would meet standards, said Jennifer Mack, vice president of Master Card Worldwide and a member of the PCI Security Council.

The companies may have submitted their headquarters to review by a qualified security assessor (QSA) but not their retail stores, for example, Mack said. QSAs are also hindered by the fact that they can't require changes to meet compliance. "They recommend and they can't do much more than that," she said.

Even companies that do try to comply fully with the standards may not wind up secure, Pironti said. "Businesses are more interested in meeting a check list than assessing how best to secure their networks," he said.

Mack agreed that businesses also need to do risk assessments to make sure their networks are protected and that blind following of the standards hasn't left them vulnerable. But the standards are still important to get corporations to take security seriously. "If the check list weren't there, we probably wouldn't be thinking about some of these things. We have to pick the ones that fit us best," Mack said.

Jim Routh, CISO of Depository Trust Clearing Corp. which processes quadrillions of dollars of financial transactions each year, said each company has its own set of security priorities that need to be thought through. Knee-jerk compliance won't work.

Pironti said a client of his diverted funds from projects that he thought would make their network more secure in order to encrypt all customer data wherever it was in the network. The company thought the risk to other data was outweighed by the potential blow to corporate reputation if customer data were breached, he said.

The decision was prompted by data-breach disclosure laws that say breaches must be publicly disclosed only if the data was unencrypted when it was stolen. "Maybe compliance has gone too far when companies need a foot to stand on in the court of public opinion," Pironti said.

Join the PC World newsletter!

Error: Please check your email address.

Tags PCI

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?