This content is part of the Essential Guide: PCI 3.0 special report: Reviewing the state of payment card compliance

Essential Guide

Browse Sections
News Stay informed about the latest enterprise technology news and product updates.

PCI DSS auditors see lessons in TJX data breach

Following the recent TJX data breach, several PCI Data Security Standard auditors say the retailer violated basic requirements of the PCI DSS. But they say there are lessons to be learned from TJX's mistakes.

TJX Companies Inc. violated some of the basic tenets of the PCI Data Security Standard (PCI DSS) and according to several PCI auditors, it will pay a heavy financial price. They said companies should study the TJX security breach for clear lessons on what not to do with customer data.

Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting, said fines will almost certainly be imposed on TJX because it was clearly negligent in holding onto unencrypted cardholder data, a direct violation of the PCI DSS.

Twelve basic requirements of the PCI DSS

Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data 
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks 

Maintain a vulnerability management program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement strong access control measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data 

Regularly monitor and test networks
Requirement 10: Track and monitor all access to network resources and cardholder data 
Requirement 11: Regularly test security systems and processes 

Maintain an information security policy
Requirement 12: Maintain a policy that addresses information security

Note: The PCI Security Standards Council released version 1.1 of the standard in September 2006. It clarifies the existing requirements and adds some new ones. Perhaps the most noteworthy addition is under Requirement 6, a stipulation that all custom application code be reviewed for common vulnerabilities by an organization that specializes in application security. Or, there must be a Web application firewall installed in front of Web-facing applications. This will be considered a "best practice" until June 30, 2008, and then it will be a requirement.

For more on the 12 basic requirements of the PCI DSS, check out our exclusive webcast,
PCI Compliance: Best Practices and Common Misconceptions with guest speaker Roger Nebel.

Framingham, Mass.-based TJX acknowledged in January that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check and merchandise return transactions.

The breach was worse than first thought, TJX officials admitted last week. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, the ongoing investigation uncovered evidence that the thieves also were inside the network several other times, beginning in July 2005.

What not to do

Nebel and other PCI auditors said the breach offers some clear examples of the wrong way to treat sensitive data under the PCI DSS.

The standard sets out 12 basic security requirements, emphasizing the need for encryption, access controls and firewalls. Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or even losing the ability to process credit card transactions.

Under the standard, Level 1 businesses -- those that process more than six million credit card transactions per year -- are subject to an annual on-site audit and quarterly network scans performed by an approved vendor. Level 2 or 3 companies that process 20,000 to 6 million credit card transactions a year must fill out an annual self-assessment questionnaire and must also have an approved vendor conduct quarterly network scans.

TJX violated basic rules

In recent interviews, several PCI DSS auditors noted that while most of their clients are achieving PCI DSS compliance, many have been forced to address serious problems along the way. When reviewing what merchants are doing to protect their customers' credit card data, auditors are typically finding that:

  • Encryption is often inconsistent across a company's computer system. Credit card data may be protected in some instances, but not others.
  • Some companies unnecessarily store credit card data and, making matters worse, fail to isolate the data from traveling across less secure parts of the network.
  • Some IT shops fail to keep a log of network activity, making it nearly impossible to spot instances where malicious hackers or anyone without authorization are trying to access credit card data.
  • Some companies don't conduct regular scans for software vulnerabilities and abnormal activity.
  • Companies that thought they were all set after complying with such regulations as the Sarbanes-Oxley Act and HIPAA discovered their controls were not adequate to meet the PCI DSS.

At the very least, TJX violated the PCI DSS by storing unencrypted cardholder data, said James DeLuccia, an independent auditor based in Atlanta, Ga.

"Credit and debit card data is something the PCI Security Standards Council will be concerned about," he said. "You're not supposed to store that kind of data, and [TJX] had it online and unencrypted."

Price will be steep

Nebel and DeLuccia said TJX will pay a high price for the breach. So will the banks that do business with the retail giant.

"You have to remember how this works -- Visa and MasterCard only have a direct relationship with the member banks," Nebel said. "They can only fine the banks."

The banks though will almost certainly pass the fines on to TJX, he said. There is a process where violators can try to recover the fines, but Nebel said the bar is set pretty high.

If you don't know where your data is traveling and where it is stored, you can't secure it.
Joseph Krause
senior security engineer AmbironTrustWave

"Before any fines are levied, Visa and MasterCard will require a forensic investigation to determine the extent and culpability," Nebel said. "The merchant must show that there was information not available to the forensic examiner that somehow shows they are not responsible."

Nebel said he's never heard of any fine being reversed.

He also said it's unlikely the public will hear details on the fines levied against the banks or TJX, and it can take anywhere from a few weeks to a few months for the forensic investigation to determine the scope and causes of such an incident, if they can be determined at all.

But in the end, DeLuccia said, TJX will end up having to spend a lot of money to put the issue to rest, namely due to numerous fines and fees, legal and otherwise.

"There's no question that 40 million accounts had problems," DeLuccia said. "The affected credit cards alone cost $25 each to re-issue. So the bank could say, 'Hey, it cost us $25 per card to re-issue 200 cards, and we're passing the bill to you.'"

TJX will also lose money from civil lawsuits, and for having to hire security firms to overhaul their systems, DeLuccia said, adding, "Even without punitive fines, they're still paying dearly."

Lessons to be learned

Fortunately for other companies, the TJX case offers plenty of lessons on how not to approach the PCI DSS, the auditors said.

The TJX data security breach

Data breach at TJX could affect millions

TJX breach worse than initially feared

Data breach law could put financial burden on retailers

If customers don't act, data will remain at risk

ID theft victim to TJX customers: Mind your data

Joseph Krause, senior security engineer for Chicago-based AmbironTrustWave, said companies first have to get a fix on where customer data is on the network, where it travels and whether or not it's encrypted.

"Understanding where the data is and where it goes is a challenge for some, but it's a very important part of PCI DSS," he said. "If you don't know where your data is traveling and where it is stored, you can't secure it."

Krause also said companies also have to be sticklers for network monitoring.

"Usually when we see an environment for the first time, we find they are deficient in this area," he said. "Just being able to help them understand which logs they need to have a close eye on, on a daily basis," is a lot of work.

Finally, companies need to understand that there's no single product or service that can alleviate an enterprise's PCI DSS compliance woes. Every business and every network is different, and PCI DSS controls must be tailored to an organization's particular make-up.

"I tell clients it's not an easy process and it is an educational experience," he said. "The requirements for every company on the path to PCI compliance are quite different.

"There's no one-size-fits-all approach."

Dig Deeper on PCI Data Security Standard