I’m not surprised by court documents claiming that TJX blew it on nine of the 12 requirements of the PCI Data Security Standard (PCI DSS), which of course allowed hackers to break into its network and steal the credit card information of more than 94 million customers. PCI DSS auditors have been suggesting for months that TJX had failed on some of the core elements of the standard.
Several banking groups are suing the retail giant for all the money they were forced to spend re-issuing credit cards compromised in the security breach, and last week the plaintiffs filed a new batch of documents in Boston federal court claiming that, among other things, TJX violated PCI DSS by failing to properly secure its wireless network; failing to wall off parts of the network where sensitive data was stored from other parts of the network (popularly referred to as segmentation); and storing data that shouldn’t have been kept around in the first place.
That the latter issue was a factor in the breach is something PCI DSS auditors have been saying for some time.
Way back in March, Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting, said the breach offers some clear examples of the wrong way to treat sensitive data under the PCI DSS. At the very least, TJX violated the PCI DSS by storing unencrypted cardholder data, agreed James DeLuccia, an independent auditor based in Atlanta, Ga.
“Credit and debit card data is something the PCI Security Standards Council will be concerned about,” he predicted around the same time. “You’re not supposed to store that kind of data, and [TJX] had it online and unencrypted.”
The court documents also confirm another prediction the PCI DSS auditors made — that Visa and/or MasterCard would probably pelt TJX and its card processor with fines. According to one report on the court filings, Visa has already fined TJX’s card processor $880,000 and plans to collect more in the future.
When I interviewed the PCI DSS auditors for that March report, I got plenty of good advice on how retailers could avoid the same mistakes. The best advice, in my opinion, came from Joseph Krause, senior security engineer for Chicago-based AmbironTrustWave.
He said companies first have to get a fix on where customer data is on the network, where it travels and whether or not it’s encrypted.
“Understanding where the data is and where it goes is a challenge for some, but it’s a very important part of PCI DSS,” he said. “If you don’t know where your data is traveling and where it is stored, you can’t secure it.”
Krause also said companies also have to be sticklers for network monitoring. “Usually when we see an environment for the first time, we find they are deficient in this area,” he said. “Just being able to help them understand which logs they need to have a close eye on, on a daily basis,” is a lot of work.
Finally, companies need to understand that there’s no single product or service that can alleviate an enterprise’s PCI DSS compliance woes. Every business and every network is different, and PCI DSS controls must be tailored to an organization’s particular make-up.
“I tell clients it’s not an easy process and it is an educational experience,” he said. “The requirements for every company on the path to PCI compliance are quite different. There’s no one-size-fits-all approach.”
For more advice on how best to respond when your company is hit by data thieves, check out this story from last week’s data breach roundtable discussion at the Harvard Club in Boston.
And keep an eye on SearchSecurity.com this week for another analysis we’re putting together on lessons from the TJX data breach.