Why Do Bad Things Happen to PCI-Compliant Companies?

Caution: Just because your company has a payment card industry (PCI)compliance certificate, don’t assume your data is perfectly safe and secure. Youcan still suffer a breach.

That’s the lesson recently learned by retail clothing company Forever21. Company officials posted a notice onthe company’s Web site last month telling customers of a data breachinvolving 98,000 credit cards. Forever 21 was PCI compliant at thetime of the breach, according to a written statement the companyreleased.

Being PCI compliant does not guarantee that a firm is immune from abreach. A recent study entitled “Cost of Compliance” disclosed that 95 percent of surveyed firms were not confident they would be safe from a data breach even if they were PCI compliant.

Two other store chains — Hanover Foods and TJ Maxx — offer furtherexamples of PCI compliance shortfalls, though in the case of TJ Maxx, thestore was in the process of achieving full compliance when the incident occurred. The list of companies with similar PCI complaint breaches grows larger all the time.

“A common theme I see is a tremendous amount of subjectivity is usedin applying the PCI standards,” Chris Konrad, senior vice president ofclient services for security and risk management firm Fortrex, told the E-Commerce Times.

Inexact Science

Part of the problem is a lack of constant, vigilant oversight of one’s compliance status, Konrad noted. A company can be PCI complaint today but fall out of compliance next week.

Another part is that qualified security assessors don’t all performthe same way. Security auditors come from a variety of backgrounds. Someare from IT, others from engineering industry, according to Konrad.

“All QSAs (Qualified Security Assessors) take the same courses taught by the same instructors and pass the same exams. Yet you take 10 QSAs and will get 10 differentinterpretations of a rule,” Konrad said.

Know What’s Up

In data breach cases involving PCI-compliant companies, the firm itself is not necessarily the only entity responsible for what went wrong. PCIcompliance is only as good as the efforts to maintain them.

“The key thing to understand is that it is an ecosystem. Each partyplays a part in a game. You can’t put all the blame on the retailers,”Kim Singletary, director of retail and embedded systems for ITenvironmental control firm Solidcore, told The E-Commerce Times.

The key to preventing data breaches after reaching PCI compliance isknowing your infrastructure and what is changing, she said.Battening down the security landscape involves doing more thanfocusing on stolen laptops and hackers breaking into networks.

“Especially in the payment merchant field, much upgrading is needed.We need to rethink the viewpoint on what happens when the credit cardhits the swipe machine,” said Singletary. “There is no perimeteranymore when you assess security risk. All of that is degrading. Nowthere are too many points of connection.”

PCI Shortcomings

Cases like those of Forever 21, Hanover Foods and TJ Maxx point to theshortcomings of the PCI certification process. However, in the absence ofbetter security practices, PCI is better than no precaution at all.

“PCI is not a panacea. It is a guideline for better security. Theimplementation of the regulations is getting better and tighter,”Mandeep Khera, chief marketing officer for Cenzic, told the E-CommerceTimes.

The payment card industry will continue to see more cases of databreaches despite PCI compliance, he said. PCI assessments are notperfect, and the problem lies in their execution.

“We have a long way to go, but it is getting better,” said Khera.”Previously, Web application security was totally ignored, as was WiFisecurity.”

New Regs Helpful

The refinements to the PCI Standards 1.2 that went into effect Oct. 1may or may not bring a reduction in data breaches, noted Konrad. Thenew regulations may help QSAs and company IT workers provide bettermonitoring of factors that change risk levels after PCI compliance isissued.

However, “What the end user needs to know is that once compliance is attained,anything new added to the mix changes that compliance qualification.For instance, if you add a new employee or add a server, or anythingthat changes the assessment can cause a non-compliant state,” heexplained.

A basic solution is for businesses to worry less about PCI complianceand concentrate more on their security, he said.

More Awareness

The cheapest security measure that an enterprise has is constant employeetraining and awareness of the circumstances, according to Konrad.Companies need a sound security and compliance policy adopted fromthe top down.

“It needs to be in the corporate DNA. In many cases it isn’t. Thefundamental problem is that corporations don’t follow up,” he said.

Singletary sees a degradation of the retail infrastructure at the root of compliance problems. Companies are not keeping up to date with technology, and the industry is moving at a pace that nobodyunderstands, she said.

The real solutions are found in being able to do real-time monitoringand the ability to check out runtime events, Singletary said.

Consumer Backlash

Ultimately, fewer data breaches may come as a result of consumermandates. Retailers could start feeling their customers’ pain ifpayment card processors do not go beyond the intent of PCIregulations.

“Lots of people have their head in the sand over this. Consumers needto be up in arms over this. These security lapses will cost taxpayershigher credit and processing costs when they do card transactions,”Singletary said.