News Stay informed about the latest enterprise technology news and product updates.

Meet the PCI DSS, avoid being the next TJX

The seriousness of the TJX Cos. data breach became even more apparent last week, with the retail giant's admission that at least 45.7 million credit and debit cards were stolen by hackers who were able to penetrate the network over an extended period of time. Several compliance auditors recently told that TJX violated some of the basic rules of the PCI Data Security Standard (PCI DSS), leaving itself open to attack. By following PCI DSS more diligently, TJX might have been able to avoid the breach, they said. Seana Pitt, chairperson of the PCI Security Standards Council and vice president of merchant policy and data quality at American Express, says companies should look at PCI DSS as a way to avoid future TJX-sized breaches instead of as a list of rules to heed to keep the compliance police at bay. In this Q&A, she explains how PCI DSS can help companies reduce risk, and how the council is updating the standard to deal with new challenges.

We recently interviewed some PCI DSS auditors who used TJX as an example of what merchants are still doing wrong, particularly when it comes to the unnecessary storage of credit card numbers. In your view, what were TJX's biggest failures with respect to the PCI DSS?
It's hard for me to talk about TJX's specific processes because I only know their issues from what's been reported in the media. But one thing we always try to help companies understand is that they need to know where data such as PIN and credit card numbers are, and get rid of it immediately. That's the simple first step: If you're done with the data, get rid of it. There's simply no reason to store it. The journey to PCI DSS compliance is just that, a journey. You should consider dumping that stuff the first step on your journey.
TJX data security breach:
SEC document offers clues on TJX security failings: If company execs need a lesson on what not to do before and after a data breach, experts say there's plenty to learn from a regulatory document TJX filed with the SEC Wednesday.

PCI DSS auditors see lessons in TJX data breach: Following the recent TJX data breach, several PCI Data Security Standard auditors say the retailer violated basic requirements of the PCI DSS. But they say there are lessons to be learned.
Are a majority of merchants falling into the trap of storing too much customer data, or are you satisfied that companies are starting to grasp the importance of getting rid of it?
We've done a lot of outreach since September and since the TJX breach, and one thing I'm extremely optimistic about is that people are no longer asking why they need to comply with PCI DSS. Now they ask how to do this. The level of questions on how to implement this has risen sharply. We spoke at the CSO Interchange during RSA [held in San Francisco in February] and what came out of it is that awareness is up by 90%. And this is no longer a credit card thing. It has become about how you protect the lifeblood of your company -- the customers. The PCI Security Standards Council formed last September as part of a wider overhaul of the PCI DSS. Talk about what the council's primary tasks are, whether it involves further updates to the standard or more extensive training and enforcement programs.
When we launched there were several criteria. One was to become a place where companies can go to ask questions and get information on the standards. There was a lot of noise in the system, so the council was set up to deal with that noise.
Requirements of the PCI Data Security Standard:
Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement strong access control measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly monitor and test networks

Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes
Maintain an information security policy

Requirement 12: Maintain a policy that addresses information security

For more on the 12 basic requirements of the PCI Data Security Standard, check out our exclusive webcast, PCI Compliance: Best Practices and Common Misconceptions with guest speaker Roger Nebel.
The council recently announced a membership "call to arms," encouraging members to take a greater role in the development of the next generation of the standard. Talk about what they can do to play that greater role.
There is further need for continuing clarification. You get specific questions on how to think about a given requirement. If multiple businesses come in and ask the question, it becomes apparent that something wasn't clear. In September, we added stronger language on application security because we see that as an emerging threat vector and we need to be staying ahead of the bad guys. It was also necessary to add more clarity and consistency to the guidelines. Security is an evolving process. The council wants to get more stakeholders -- merchants, banks -- to the table to help us with feedback on what implementation and security challenges are there. How do we make the PCI standard a living, breathing road map? Compliance is not a one-time experience. Talk about the makeup of the council, in terms of the number of members and the breakdown of representation.
We have each of the five payment brands represented, and we are adding a membership participation organization with 150 members. Globally, 67% of the membership are U.S. businesses -- merchants, processors, banks, point-of-sale vendors and security vendors. You just hired a general manager, correct?
Yes, our new general manager is Bob Russo, who will be the face of the standards council and will help me with outreach. He has more than 25 years of high-tech business management, operations and security experience. Most recently, he served as the vice president of commercial sales for Secure Info, a provider of security, risk and compliance services and software. He was also a founder of a number of software and security companies, including Network-1 Software & Technology and ATC Security. His presence and leadership will further our goal of engaging key stakeholders. His previous experience managing the compliance of payment industry merchants, issuers, acquirers and service providers while maintaining relationships with the credit card payment brands made him a natural choice for this position. What are some of the specific projects now under way?
We are currently laying out a calendar for getting input on the next generation of the standard. Big companies are starting to get it. Now we need to help guide the small-to-medium-sized businesses. They tend to not be as sensitive as the bigger companies to the threats out there and they are not as aware of PCI DSS. The small restaurant owners are not necessarily going to be thinking about this the same way a large financial firm is. If the restaurant, for example, is going to be buying a new point-of-sale system, we want to be there to help them make the right choices and ensure the right level of security. If they are not paying as much attention as the bigger guys, how do you help them with that?
We are working on a specific set of standards for point-of-sale vendors, standards as to what must be in this technology and what the vendor must do to be in compliance with PCI DSS. That is one of the big business initiatives for us right now.

Dig Deeper on PCI Data Security Standard

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.