In the report for the TJX case that we are currently studying in class, it mentions that TJX had not complied with 9 out of 12 components of the Payment Card Industry Data Security Standard (PCI DSS). Coincidentally, I came across the article that I posted below, which explains that there seems to be a direct relationship between security breaches and non compliance with the PCI standard.
Verizon recently came out with their 2010 Payment Card Industry Compliance Report, in which they evaluated how well various organizations met the PCI standard. One of their main findings was that organizations who had suffered from a security breach were 50% more likely to not be in compliance. This makes perfect sense, since an organization that doesn’t comply with these standards is missing major components of a complete security system.
The 12 requirements of the PCI DSS are:
1) Install and maintain a firewall configuration to protect data.
2) Do not use vendor-supplied defaults for system passwords and other security parameters
3) Protect stored data
4) Encrypt transmission of cardholder data and sensitive
information across public networks
5) Use and regularly update anti-virus software
6) Develop and maintain secure systems and applications
7) Restrict access to data by business need-to-know
8) Assign a unique ID to each person with computer access
9) Restrict physical access to cardholder data
10) Track and monitor all access to network resources and
cardholder data
11) Regularly test security systems and processes
12) Maintain a policy that addresses information security
In the organizations assessed by Verizon’s report, requirements 3, 10, and 11 were the least implemented. Only 43% of organizations properly protected stored data, only 39% tracked and monitored access to network resources and cardholder data, and only 38% regularly tested security systems and processes. This information is a little unsettling to me as a credit card user. Also alarming is the fact that only 22% of organizations met all of the requirements and 11% did not even met half of them. This means that when you pay with your credit card, there is almost an 80% chance that your personal information will not be secure. Hopefully the data presented in this report will convince organizations of the importance of PCI standard compliance and they will make an effort to improve their payment card security so that we will be able to use our credit cards without fear of our personal information being compromised.
Thursday, October 7, 2010
Subscribe to:
Post Comments (Atom)
Posts
It looks like I forgot to paste the article in this post, sorry!
ReplyDeleteHere it is:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1521315,00.html
How will this report change a thing? I have a hard time understanding why these standards are still not being given the attention that they deserve. The TJX case we read in class was a high profile case that made national news. Why was this case not a wake-up call that caused companies to understand that there may be holes in their own security systems? This case occurred in 2006, but in 2010 reports are still being written to show that many corporations skip corners on their security systems and do not follow the standards mentioned. Reading first the TJX case and then this article only makes me wonder what will be the event that shakes the system and makes people realize how important these standards really are.
ReplyDeleteAs a credit card user, hearing statistics like this scare me. The question is what can we do about it? It is impossible to stop using credit cards completely. Society has become so reliant on the plastic as a method of payment. Because of this, there is no incentive for companies to make changes. People are still going to go to these stores and use their credit cards to pay for the items they purchased. I am afraid that it will be difficult to make the companies listen. Unless people stop using their cards to pay for purchases at the store, the corporations may continue to be loose with their security standards. I'm nervous that it may be very difficult to get the attention of the corporations. The TJX case did not get their attention. Will this report do what that case failed to do?
This article is very interesting and definitely eye-opening. I agree with kmckiern that the Verizon report may not be as effective as we would like because companies do not really have an incentive to invest in tighter security measures. With a large profitable company, perhaps dealing with the consequences is cheaper than trying to avoid the risk. It is unlikely that consumers will stop paying with credit cards altogether; however, I assume most consumers are not aware that their credit card information is very much at risk. They probably do not know what PCI standards are, so I think a lot of people just assume there will be no problem. After all, credit cards are supposed to be safe compared to debit cards or carrying around a large sum of cash.
ReplyDeleteI do think there is a possible way to force companies to address their security weaknesses: mandatory PCI DSS participation and annual performance disclosure. If companies dealing with card transactions were mandated (perhaps governmental action would be most effective) to comply with PCI DSS, that would at least get everyone on the same page. Further, the company should release some sort of annual report that discloses whether or not the standard was met. The report should be signed by a member of the PCI Security Standards Council, the body that oversees the PCI DSS, to ensure everything is accurately represented. I know our TJX case mentioned something about the auditor failing to point out the system weaknesses, but it was vague as to who employed the auditor.
At first, companies might see the reporting and disclosure process as a nuisance, but similar to financial reporting standards or internal control audits, there will be a smaller chance of non-compliance, especially if it needs to be signed off on by a third party. Also, annual reviews would allow companies (and the general public) to identify which standards need to be addressed.
It seems ridiculous that after TJX, a very prominent company, suffered a breach in 2006 that compromised the security of its customers, that other companies continue to take short cuts when it comes to running a secure network. The Payment Card Industry Data Security Standard (PCI DSS) is a compilation of the recommendations by PCI to properly establish and maintain information security. The article addresses that most companies fail to comply with the protection of stored data, the monitoring of network access, and the regular testing of security systems and processes. With the TJX case study we found how the security of many customers can be compromised when stored data is not secure. Also, monitoring network access is essential because IT staff would be able to catch any intruders and track them down before they could make off with information. Even if the IT staff could not prevent the theft of the information they would have a better chance of controlling the breach and solving the problem sooner. Finally, having all the proper security systems is great so long as they are up and running. It is also important to make sure that they are updated as to help prevent being hacked.
ReplyDeleteThe article of PCI Compliance Report tells how only 22% of companies met all of the requirements. With information security at risk one would hope that these companies would have learned from the mistakes made by TJX and realize that this lack of attention towards information security is not only detrimental to customers but to the company as a whole.