INTEROP: Knee-jerk standards compliance not enough for retailers

Even companies that do try to comply fully with PCI standards may not wind up secure.

Businesses certified to be compliant with the Payment Card Industry Data Security Standards (PCI DSS) keep suffering data breaches, but the problem may be more with the way businesses address the requirements than with the PCI standard, experts told an Interop gathering.

Retail chain Forever 21, which last week revealed that nearly 99,000 customer payment cards may have been compromised, claimed it was PCI compliant, said John Pironti, the chief information risk strategist for Getronics.

"They claim to be PCI compliant, Hannaford's [the supermarket chain that suffered a data breach claimed to be PCI compliant," said Pironti, who moderated an Interop panel on the subject of compliance.

But those firms may have restricted compliance auditors' access to areas where they thought they would meet standards, said Jennifer Mack, vice president of Master Card Worldwide and a member of the PCI Security Council.

The companies may have submitted their headquarters to review by a qualified security assessor (QSA) but not their retail stores, for example, Mack said. QSAs are also hindered by the fact that they can't require changes to meet compliance. "They recommend and they can't do much more than that," she said.

Even companies that do try to comply fully with the standards may not wind up secure, Pironti said. "Businesses are more interested in meeting a check list than assessing how best to secure their networks," he said.

Mack agreed that businesses also need to do risk assessments to make sure their networks are protected and that blind following of the standards hasn't left them vulnerable. But the standards are still important to get corporations to take security seriously. "If the check list weren't there, we probably wouldn't be thinking about some of these things. We have to pick the ones that fit us best," Mack said.

Jim Routh, CISO of Depository Trust Clearing Corp. which processes quadrillions of dollars of financial transactions each year, said each company has its own set of security priorities that need to be thought through. Knee-jerk compliance won't work.

Pironti said a client of his diverted funds from projects that he thought would make their network more secure in order to encrypt all customer data wherever it was in the network. The company thought the risk to other data was outweighed by the potential blow to corporate reputation if customer data were breached, he said.

The decision was prompted by data-breach disclosure laws that say breaches must be publicly disclosed only if the data was unencrypted when it was stolen. "Maybe compliance has gone too far when companies need a foot to stand on in the court of public opinion," Pironti said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags PCI

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?