Data breaches at TJX Cos. Inc. and elsewhere have some questioning whether the Payment Card Industry Data Security Standard (PCI DSS) is tough enough to quell the epidemic. But most IT security professionals say the problem isn't PCI DSS, but the lax manner in which companies try to implement and audit the rules.
TJX has been back in the news as court documents surfaced showing, among other things, that the retailer failed at nine of the 12 PCI DSS requirements covering encryption, access controls and firewalls. Penalties for noncompliance include fines of up to $500,000, increased auditing requirements and even losing the ability to process credit card transactions.
Paul Asadoorian, a senior network security engineer with Rhode Island-based OSHEAN Inc., a nonprofit coalition that buys Internet services for public schools and universities, believes there is room for improvement with PCI DSS. Requirements should more clearly address ways to protect against attacks based on social engineering, he said. Still, TJX's woes run much deeper than its PCI DSS compliance efforts or the lack thereof, Asadoorian said. In particular, the TJX story is an example of how not to use wireless networks, he said. Investigators have concluded that the data breach began when hackers managed to access the wireless network at a couple TJX stores.
Several IT security professionals bristled when asked if PCI DSS needs to be weakened so more companies can achieve compliance. As written now, the requirements are pretty clear, they say, and weakening the standard certainly wouldn't help stem the tide of data breaches.
"Looking at the 12 requirements [of PCI DSS], I have to wonder how could you make them any more lax than they are," said Keith Gosselin, IT officer for Biddeford Savings Bank in Maine. "These are the simplest of best practices. As a CIO, CEO or CFO, why would you not want your company to meet these requirements?"
Cheap security, lax auditing
Gosselin said he can't fathom how TJX could have violated nine of the requirements, given the retailer's size and the resources at its disposal.
Investigations have found that some data breach victims tried to achieve PCI compliance in as cheap and easy a manner as possible, leaving behind network weaknesses the bad guys could exploit. Security consultant Thomas Peltier of Howell, Mich.-based Peltier Associates said he has encountered many companies that have looked for ways to push back on the PCI requirements.
"Companies have gotten over the scare from Enron and WorldCom and are starting to push back on these regulations and say 'hey, this is costing us too much money,'" he said. "You look at PCI DSS and there is nothing illogical about what's required. But if a company can get the rules lessened, that's what they're going to try and do."
One PCI DSS auditor, who requested anonymity because he is involved in the TJX investigation, said the Framingham, Mass.-based retail giant was also the victim of lax auditing. Under PCI DSS, Level 1 businesses -- those that process more than six million credit card transactions a year -- are subject to an annual on-site audit and quarterly network scans performed by an approved vendor. Level 2 and 3 companies that process 20,000 to 6 million credit card transactions a year must fill out an annual self-assessment questionnaire and have an approved vendor conduct quarterly network scans.
The auditor said TJX passed a PCI DSS check-up, but that the auditor failed to notice some key problems.
"They had no network monitoring and no logs, and they had unencrypted data," he said. "But this wasn't picked up by the auditor. They passed the Level 1 inspection and shouldn't have."
No substitute for security basics
Paul Schmehl, an adjunct information security officer for the University of Texas at Dallas, agreed with Gosselin that the problem with TJX wasn't PCI DSS, but rather its failure to institute basic security measures.
"If you ignore commonly-accepted best practices you can expect to be hacked. It's really that simple," he said. "How does the length of time data is stored impact its security? You either maintain a secure network and engage in best practices or you don't, and the length of time that data is stored is a minor element in the equation."
'Tell us how to make it better'
Bob Russo, general manager of the PCI Security Standards Council, said during a panel discussion on data security last week at the Harvard Club in Boston that PCI DSS is a solid security blueprint if companies are willing to follow it. He believes most companies are meeting the challenge and improving security in the process.
"I get calls from people who want to use PCI DSS as the basis for their own standards," he said. "Some companies are dragged into compliance kicking and screaming," but there's nothing like the prospect of brand reputation damage and lawsuits to get them to do what's necessary to secure systems and respond properly when there is a breach.
To those who believe PCI DSS is either to tough or not tough enough, Russo said, "It's not good enough to call us and say it stinks. Tell us how to make it better."