顧客データが流出したTJXに関して、罰金が適用されることはほぼ間違いない、という記事。
PCI DSS auditors see lessons in TJX data breach
By Bill Brenner, Senior News Writer
01 Mar 2007 | SearchSecurity.com
RSS FEEDS: Security Wire Daily News
TJX Companies Inc. violated some of the basic tenets of the PCI Data Security Standard (PCI DSS) and according to several PCI auditors, it will pay a heavy financial price. They said companies should study the TJX security breach for clear lessons on what not to do with customer data.Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting, said fines will almost certainly be imposed on TJX because it was clearly negligent in holding onto unencrypted cardholder data, a direct violation of the PCI DSS.
:
When reviewing what merchants are doing to protect their customers' credit card data, auditors are typically finding that:
Encryption is often inconsistent across a company's computer system. Credit card data may be protected in some instances, but not others.
Some companies unnecessarily store credit card data and, making matters worse, fail to isolate the data from traveling across less secure parts of the network.
Some IT shops fail to keep a log of network activity, making it nearly impossible to spot instances where malicious hackers or anyone without authorization are trying to access credit card data.
Some companies don't conduct regular scans for software vulnerabilities and abnormal activity.
Companies that thought they were all set after complying with such regulations as the Sarbanes-Oxley Act and HIPAA discovered their controls were not adequate to meet the PCI DSS.
At the very least, TJX violated the PCI DSS by storing unencrypted cardholder data, said James DeLuccia, an independent auditor based in Atlanta, Ga.
"Credit and debit card data is something the PCI Security Standards Council will be concerned about," he said. "You're not supposed to store that kind of data, and [TJX] had it online and unencrypted."If you don't know where your data is traveling and where it is stored, you can't secure it.
Joseph Krause
senior security engineer, AmbironTrustWave
Leave a comment