TJX Breach Helped PCI Compliance
But More Work Necessary to Secure Customer Data, Confidence
If the TJX data breach had not occurred, the increased push by retailers to comply with Payment Card Industry Data Security Standard (PCI-DSS) also may not have happened. This much-publicized incident seems to be the one that has most spurred merchants and financial institutions to realize the need for stronger data security.
Proof of this interest to comply with PCI-DSS came at the PCI Security Standards Council's community meeting in Toronto, Canada last month, where the level of discussion increased dramatically, says Joseph Lindstrom, a senior director in the compliance consulting area at Symantec.
"TJX has clearly been a wake up call for the merchant and payment card industries," Lindstrom says. "It is the watershed event of the past three years. My sense is that it will have a profound effect on the psyche of the merchant and service provider communities, and that it makes everyone take security more seriously. It's now a realization for those companies out there that data breaches will happen. It's not a matter of if, but a matter of when a breach will occur, and they must be prepared."
This was the first meeting of all the stakeholders in the Payment Card Industry. Among the topics discussed:
- Important updates on the Council's feedback process for the Data Security Standard (DSS) version 1.1
- Soon-to-be released Self-Assessment Questionnaire version 1.1
- Payment Application Data Security Standard (known under Visa as PABP and PASS)
- Pin Entry Device (PED) Program
- Quality assurance initiative for the Council's Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV) Programs
Council committee members also made public responses to many of the more than 1200 questions on data security submitted by organizations from around the world.
One change made to the Self-Assessment Questionnaire that Lindstrom sees as an important move in the right direction is the move to create four levels of the questionnaire to better match what merchants and other companies have in terms of security and technology. "When it comes to the self assessment questionnaire, one size does not fit all," Lindstrom says.
As smaller merchants are now being targeted by credit card fraudsters, he notes the need for services and technology-based solutions for the smaller merchants and companies. "These solutions need to be cost-effective and affordable to the smaller companies."
More important to the PCI compliance movement is the need for retailers (and financial institutions) to change their approach to PCI compliance. "It's not just getting the SAQ filled out and submitted, or getting the quarterly scan out of the way, but to create real security," Lindstrom says.
Getting C-Level Interest
Compliance, he stresses, is not a one time event -- a more holistic approach is needed. While roughly 40 percent of Tier 1 merchants are in compliance with PCI-DSS, and good progress has been made over the past year, Lindstrom says more can be done.
"What I've seen in terms of compliance is that two years ago there was less interest in complying with the PCI standard. Retailers would just say, 'Okay, we'll pay the fines'," Lindstrom notes.
Now that the fines have increased, and the interchange fees have risen for those that aren't in compliance, things have shifted. "It also didn't hurt that the media coverage of the TJX breach, along with other major data breaches has certainly gotten the C-level executive's attention, and deservedly so," he says.
Lindstrom points to a recent survey of business leaders, which cites, "Even the leaders (60% of them) anticipate a breach will occur at their firm. Even if they do have good security policies, practices and technologies in place, breaches will happen."
The bottom line impact for banks and credit unions when it involves securing information: "The institution needs to consider their customers," Lindstrom says. "If my information has been compromised, and I don't get resolution of my question about how the data was compromised, I will certainly think twice about taking my business and money elsewhere. A solid explanation of what you're doing to secure information is absolutely critical to securing consumer confidence. Then back up your words by doing it."
Question: What impact, if any, did the TJX breach have on your organization's progress in PCI Compliance? Share your view with editor Tom Field.