Wednesday, July 29, 2009

Data Breaches Challenge The Meaning Of PCI Compliance

Network Solutions, a domain registrar and e-commerce Web site host for small retailers, reported a data breach Friday that may have impacted 573,928 cardholders and 4,343 of its more than 10,000 merchant Web sites. The breach affected transactions occurring on the merchant sites between March 12, 2009 and June 8, 2009.

The company set up a Web site to answer e-commerce retailers’ questions about the breach. It also issued a statement that read in part, “At this point, we have no reports or other reasons to believe that any credit card account information has been misused.”

As a result of yet another data breach affecting the retail industry, a larger question about the true value of PCI compliance arises again. How meaningful is it to be PCI-compliant when the designation itself offers just a snapshot in time? As retailers well know, a company can be PCI-compliant one day — one hour, even — and not the next. (Click here for an article on PCI compliance.)

An investigation is ongoing, but in this case, Network Solutions was deemed PCI-compliant in October and cited this fact in its statement. The PCI Security Standards Council (PCI SSC) essentially gave its standard reply: “Oh, really?” The PCI SSC routinely asserts that no PCI-compliant firm has ever been breached.

They both might be right. Network Solutions had the PCI-compliant designation. But unless the company was enormously diligent in maintaining those standards every day since October, then the PCI SSC could be correct, since a PCI-compliant designation one day isn’t guaranteed the next. What does that say about the value of being PCI-compliant?

There has to be a better system for retailers to secure cardholder data. I’m working on a story examining tokenization, one possible alternative to PCI compliance concerns. If you’re a retailer currently using tokenization, or a vendor offering the service, contact me if you’d like to offer insights.

6 comments:

  1. In theory, PCI is good for retailers. Security is expensive, but PCI sets a minimum standard that everyone must adhere to, discouraging competitors from cutting corners to maximize profits. By the way, while speaking about data security, I need to note that the most reliable service for data sharing is iDeals virtual data room software

    ReplyDelete
  2. It is superior to encryption. This is a direct result of the effortlessness of this strategy over encryption. It doesn't require complex key administration not at all like encryption. Be that as it may, its real favorable position lies elsewhere.https://goo.gl/I2bx8k

    ReplyDelete
  3. Coach has teamed up with some of its favorite bloggers and vloggers for their Coach Holiday-Blog-A-Day. Running for 30 days, a different site each day will be showcasing some of its Coach Handbags favorite Coach bags for the season and be offering a giveaway.Some of our other favorites being included Michael Kors Outlet Online are: JuicyStar07, Paper Fashion, Fifi-Lapin, Glam, and Second City Style. Check Coach HERE to see everyone participating!Tomorrow, Coach Outlet Store Online December 7th, is our day. Make sure to check back to see our exclusive photos, feature, and michael kors outlet online find out how to win a Coach bag!
    Ok, so this post a little last minute for Longchamp Sale a Father’s Day gift idea but honestly, I know many of you may be like me and Coach Purses procrastinate. When it comes to both Mother’s Day and Father’s Day, I always try to find a Michael Kors Bags gift that can be sentimental. It gets hard to come up with something year after year, but michael kors outlet online as much as my dad loves Hermes ties, sometimes a tie gets a little too repetitive.If you Coach Outlet are looking for a last minute Father’s Day gift option, have an accessory from Coach monogrammed.Coach michael kors is Coach Outlet Store offering complimentary monogramming on leather hangtags, luggage tags, and an array of small leather goods at it’s men’s store on Bleecker in NYC and Copley Place in Boston. But don’t fret, if you aren’t in Michael Kors either area, you can place an order by phone (NYC location 212.243.3612, Boston location 617.262.0419).As far as Coach Bags

    ReplyDelete
  4. Long Description Riskonnect is the trusted, preferred source of Integrated Risk Management technology,GRC software offering a growing suite of solutions on a world-class cloud computing model that enable clients to elevate their programs for management of all risks across the enterprise. Riskonnect allows organizations to holistically understand, manage and control risks, positively affecting shareholder value

    ReplyDelete