PCI DSS Object Lessons

The PCI DSS, or Payment Card Industry Data Security Standard, was created by the five major credit card companies as a measure by which merchants can determine their level of security around sensitive information. In our modern business environment identity is extremely valuable and often targeted by the unscrupulous. PCI Compliance requires any merchant that stores, processes or transmits this kind of data to install the kind of security necessary to protect consumer identity and personal information.

Recent history has given us some specific object lessons about what happens when you comply with the PCI DSS, or, more specifically, what happens when you don't comply with the PCI DSS.

The most famous case is, without a doubt, the TJX Companies incident. Beginning back in July 2005 hackers managed to find and exploit some very detrimental vulnerabilities in their systems. Over a period of some 18 months these hackers downloaded an estimated 100 million credit card numbers. So what exactly went wrong?

Some of the finding from the investigation point out that TJX had indeed failed to comply with a number of the requirements of the PCI DSS. To begin with, it was determined that the company collected personal information that it did not need (in this case, drivers license numbers and other personal data) and it kept this data indefinitely. So when the system was compromised, all these credit card numbers and lists of personal information were just waiting to be stolen.

According to the PCI DSS, a merchant can only retain information that is absolutely necessary for business or legal reasons, and that information must be properly and regularly removed from the system.

It was also discovered that even though they did have an encryption protocol in place it was an older protocol that is easily cracked. And while they were in the process of switching to a more powerful encryption system, the move was too slow, and sensitive data could have been isolated on a protected system while they made the necessary changes to the rest of their networks. This, however, did not happen and their security around sensitive information was easily bypassed.

The finding also pointed out that if TJX would have monitored their systems better, and if they had they should have been aware of the intrusion before December 2006.

As this shows, TJX had failed to comply with a number of the PCI DSS requirements, and it will cost them. Some estimates put the number in the hundreds of millions of dollars when things like law suits and call center costs and all the fines and penalties are taken into account.

Now, as a comparative PCI DSS object lesson, we have another famous case. This one deals with the Hannaford chain of grocery stores. The interesting thing about this security breach is that the grocery store chain had recently been certified as PCI compliant.

So what does this teach us about the PCI DSS? Is it really a strong enough security measure? Is it really doing any good?

The simple fact of the matter is that there are hackers out there working continually to get past your security measures. And the only real way to fight against it is by constant maintenance, management, and vigilance.

But here's the big difference between the Hannaford breach and the TJX breach. Hannaford was not storing social security numbers, names, addresses, and drivers license numbers of their customers. That means that the damage done to the grocery store and its customers was significantly less than what happened to TJX customers.

So, yes, a breach happened to both of these companies. And yes, there's probably someone out there who can crack any security system, but by following the PCI DSS guidelines one company was able to limit the damage done and hold on to a reputation as a company that is trying its best to protect their customers' interests.

Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about the PCI DSS or PCI compliance, visit Braintree Payment Solutions today.