PCI DSS 3.0 compliance deadline approaches. Will it make any difference?

Taylor Armerding

credit card

Don't expect credit card security or lack of it to be magically transformed when the new year dawns on Jan. 1, 2015, the deadline for compliance with the Payment Card Industry Data Security Standard (PCI DSS) 3.0.

The standard, which sets security requirements for all companies that access, store or transmit cardholder data (CHD) and personally identifiable information (PII), was published nearly a year ago, on Nov. 7, 2013, and has technically been in effect all of this year.

Yet high-profile breaches of credit card data continue with alarming regularity.

Retailer Target suffered one of the largest breaches in history 40 million credit card numbers and 70 million personal information records last December, less than a month after the latest version of the standard was published.

More recently, P.F. Chang's, the thrift store operations of Goodwill Industries International and Supervalu, owner of hundreds of grocery and liquor stores, have been successfully hacked.

Supervalu said there was also a related intrusion into stores it sold in March 2013 to Cerebus Capital Management but still provides with IT services, including Albertsons, Acme, Jewel-Osco, Shaw's and Star Market.

But in spite of that sobering reality, analysts tend to agree that the new standard (see sidebar below) provides a blueprint for best practices that, if observed in a "business as usual" way, will prevent most breaches.

Indeed, Bloomberg Businessweek reported in March that if Target had been more observant, it could have prevented the historic breach. The company was prepared for an attack, with a $1.6 million malware detection tool made by security firm FireEye, but failed to respond to its warnings.

"As (hackers) uploaded exfiltration malware to move stolen credit card numbers ... FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then ...( nothing happened," Bloomberg reported. "For some reason, Minneapolis didn't react to the sirens."

Those warnings came before the hackers had transmitted any of the stolen data, which means the company could have avoided more than 90 lawsuits, expenses that could reach into the billions, a staggering loss of market share and brand damage if it had simply responded to its compliant system.

Bob Russo, general manager at the PCI Security Standards Council (SSC), which develops and publishes the standards, has a measure of sympathy for Target. He said he has multiple layers of security at his three-family home in New York City. "We checked all the boxes," he said.

Yet, at 5 a.m. one morning, "somebody pranced in and walked out with laptop. Thankfully it was encrypted," he said. "But how did that happen? We forgot to do something the night before."

1  2  3  4  Next Page