PCI DSS auditors see lessons in TJX data breach

By Bill Brenner, Senior News Writer 01 Mar 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting, said fines will almost certainly be imposed on TJX because it was clearly negligent in holding onto unencrypted cardholder data, a direct violation of the PCI DSS.

Framingham, Mass.-based TJX acknowledged in January that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check and merchandise return transactions.

Twelve basic requirements of the PCI Data Security Standard Build and maintain a secure network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement strong access control measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly monitor and test networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an information security policy Requirement 12: Maintain a policy that addresses information security (Note: The PCI Security Standards Council released version 1.1 of the standard in September 2006. It clarifies the existing requirements and adds some new ones. Perhaps the most noteworthy addition is under Requirement 6, a stipulation that all custom application code be reviewed for common vulnerabilities by an organization that specializes in application security. Or, there must be a Web application firewall installed in front of Web-facing applications. This will be considered a "best practice" until June 30, 2008, and then it will be a requirement.) For more on the 12 basic requirements of the PCI Data Security Standard, check out our exclusive webcast, PCI Compliance: Best Practices and Common Misconceptions with guest speaker Roger Nebel.

The breach was worse than first thought, TJX officials admitted last week. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, the ongoing investigation uncovered evidence that the thieves also were inside the network several other times, beginning in July 2005.

What not to do
Nebel and other PCI auditors said the breach offers some clear examples of the wrong way to treat sensitive data under the PCI DSS.

The standard sets out 12 basic security requirements, emphasizing the need for encryption, access controls and firewalls. Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or even losing the ability to process credit card transactions.

Under the standard, Level 1 businesses -- those that process more than six million credit card transactions per year -- are subject to an annual on-site audit and quarterly network scans performed by an approved vendor. Level 2 or 3 companies that process 20,000 to 6 million credit card transactions a year must fill out an annual self-assessment questionnaire and must also have an approved vendor conduct quarterly network scans.

TJX violated basic rules
In recent interviews, several PCI DSS auditors noted that while most of their clients are achieving PCI DSS compliance, many have been forced to address serious problems along the way. When reviewing what merchants are doing to protect their customers' credit card data, auditors are typically finding that:

• Encryption is often inconsistent across a company's computer system. Credit card data may be protected in some instances, but not others.
• Some companies unnecessarily store credit card data and, making matters worse, fail to isolate the data from traveling across less secure parts of the network.
• Some IT shops fail to keep a log of network activity, making it nearly impossible to spot instances where malicious hackers or anyone without authorization are trying to access credit card data.
• Some companies don't conduct regular scans for software vulnerabilities and abnormal activity.
• Companies that thought they were all set after complying with such regulations as the Sarbanes-Oxley Act and HIPAA discovered their controls were not adequate to meet the PCI DSS.

At the very least, TJX violated the PCI DSS by storing unencrypted cardholder data, said James DeLuccia, an independent auditor based in Atlanta, Ga.

If you don't know where your data is traveling and where it is stored, you can't secure it. Joseph Krause senior security engineer, AmbironTrustWave

"Credit and debit card data is something the PCI Security Standards Council will be concerned about," he said. "You're not supposed to store that kind of data, and [TJX] had it online and unencrypted."

Price will be steep
Nebel and DeLuccia said TJX will pay a high price for the breach. So will the banks that do business with the retail giant.

"You have to remember how this works -- Visa and MasterCard only have a direct relationship with the member banks," Nebel said. "They can only fine the banks."

The banks though will almost certainly pass the fines on to TJX, he said. There is a process where violators can try to recover the fines, but Nebel said the bar is set pretty high.

The TJX data security breach Data breach at TJX could affect millions TJX breach worse than initially feared Data breach law could put financial burden on retailers If customers don't act, data will remain at risk ID theft victim to TJX customers: Mind your data

"Before any fines are levied, Visa and MasterCard will require a forensic investigation to determine the extent and culpability," Nebel said. "The merchant must show that there was information not available to the forensic examiner that somehow shows they are not responsible."

Nebel said he's never heard of any fine being reversed.

He also said it's unlikely the public will hear details on the fines levied against the banks or TJX, and it can take anywhere from a few weeks to a few months for the forensic investigation to determine the scope and causes of such an incident, if they can be determined at all.

But in the end, DeLuccia said, TJX will end up having to spend a lot of money to put the issue to rest, namely due to numerous fines and fees, legal and otherwise.

"There's no question that 40 million accounts had problems," DeLuccia said. "The affected credit cards alone cost $25 each to re-issue. So the bank could say, 'Hey, it cost us $25 per card to re-issue 200 cards, and we're passing the bill to you.'"

TJX will also lose money from civil lawsuits, and for having to hire security firms to overhaul their systems, DeLuccia said, adding, "Even without punitive fines, they're still paying dearly."

Lessons to be learned
Fortunately for other companies, the TJX case offers plenty of lessons on how not to approach the PCI DSS, the auditors said.

Joseph Krause, senior security engineer for Chicago-based AmbironTrustWave, said companies first have to get a fix on where customer data is on the network, where it travels and whether or not it's encrypted.

"Understanding where the data is and where it goes is a challenge for some, but it's a very important part of PCI DSS," he said. "If you don't know where your data is traveling and where it is stored, you can't secure it."

Krause also said companies also have to be sticklers for network monitoring.

"Usually when we see an environment for the first time, we find they are deficient in this area," he said. "Just being able to help them understand which logs they need to have a close eye on, on a daily basis," is a lot of work.

Finally, companies need to understand that there's no single product or service that can alleviate an enterprise's PCI DSS compliance woes. Every business and every network is different, and PCI DSS controls must be tailored to an organization's particular make-up.

"I tell clients it's not an easy process and it is an educational experience," he said. "The requirements for every company on the path to PCI compliance are quite different.

"There's no one-size-fits-all approach."

Tags: PCI Data Security Standard,  Security Industry Market Trends, Predictions and Forecasts,  Information Security Laws, Investigations and Ethics,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard New data protection laws No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny The future of PCI DSS encryption requirements? Tokenization for PCI MasterCard reverses PCI compliance requirement PCI DSS compliance help: Using frameworks, technology to aid efforts Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Security Industry Market Trends, Predictions and Forecasts SCADA system, critical infrastructure security lacking, survey finds Security architects fear savvy botnet attacks, IPv6 security issues Security compliance predictions for 2010: New regulations, new technology IAM trends: Rebuilding security with provisioning technologies Gartner acquires Burton Group, bolsters presence Securosis adds Security Incite, Rothman to its roster Five security industry themes to watch in 2010 How to advance in your infosec career in the current economic storm Top cybersecurity stories of 2009 Security industry praises Schmidt but sees challenges ahead Security Industry Market Trends, Predictions and Forecasts Research Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary