INTEROP: Knee-jerk standards compliance not enough for retailers

Even companies that do try to comply fully with PCI standards may not wind up secure.

Businesses certified to be compliant with the Payment Card Industry Data Security Standards (PCI DSS) keep suffering data breaches, but the problem may be more with the way businesses address the requirements than with the PCI standard, experts told an Interop gathering.

Retail chain Forever 21, which last week revealed that nearly 99,000 customer payment cards may have been compromised, claimed it was PCI compliant, said John Pironti, the chief information risk strategist for Getronics.

"They claim to be PCI compliant, Hannaford's [the supermarket chain that suffered a data breach claimed to be PCI compliant," said Pironti, who moderated an Interop panel on the subject of compliance.

But those firms may have restricted compliance auditors' access to areas where they thought they would meet standards, said Jennifer Mack, vice president of Master Card Worldwide and a member of the PCI Security Council.

The companies may have submitted their headquarters to review by a qualified security assessor (QSA) but not their retail stores, for example, Mack said. QSAs are also hindered by the fact that they can't require changes to meet compliance. "They recommend and they can't do much more than that," she said.

Even companies that do try to comply fully with the standards may not wind up secure, Pironti said. "Businesses are more interested in meeting a check list than assessing how best to secure their networks," he said.

Mack agreed that businesses also need to do risk assessments to make sure their networks are protected and that blind following of the standards hasn't left them vulnerable. But the standards are still important to get corporations to take security seriously. "If the check list weren't there, we probably wouldn't be thinking about some of these things. We have to pick the ones that fit us best," Mack said.

Jim Routh, CISO of Depository Trust Clearing Corp. which processes quadrillions of dollars of financial transactions each year, said each company has its own set of security priorities that need to be thought through. Knee-jerk compliance won't work.

Pironti said a client of his diverted funds from projects that he thought would make their network more secure in order to encrypt all customer data wherever it was in the network. The company thought the risk to other data was outweighed by the potential blow to corporate reputation if customer data were breached, he said.

The decision was prompted by data-breach disclosure laws that say breaches must be publicly disclosed only if the data was unencrypted when it was stolen. "Maybe compliance has gone too far when companies need a foot to stand on in the court of public opinion," Pironti said.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags PCI

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?