Data Breaches Challenge The Meaning Of PCI Compliance

Network Solutions, a domain registrar and e-commerce Web site host for small retailers, reported a data breach Friday that may have impacted 573,928 cardholders and 4,343 of its more than 10,000 merchant Web sites. The breach affected transactions occurring on the merchant sites between March 12, 2009 and June 8, 2009.

The company set up a Web site to answer e-commerce retailers’ questions about the breach. It also issued a statement that read in part, “At this point, we have no reports or other reasons to believe that any credit card account information has been misused.”

As a result of yet another data breach affecting the retail industry, a larger question about the true value of PCI compliance arises again. How meaningful is it to be PCI-compliant when the designation itself offers just a snapshot in time? As retailers well know, a company can be PCI-compliant one day — one hour, even — and not the next. (Click here for an article on PCI compliance.)

An investigation is ongoing, but in this case, Network Solutions was deemed PCI-compliant in October and cited this fact in its statement. The PCI Security Standards Council (PCI SSC) essentially gave its standard reply: “Oh, really?” The PCI SSC routinely asserts that no PCI-compliant firm has ever been breached.

They both might be right. Network Solutions had the PCI-compliant designation. But unless the company was enormously diligent in maintaining those standards every day since October, then the PCI SSC could be correct, since a PCI-compliant designation one day isn’t guaranteed the next. What does that say about the value of being PCI-compliant?

There has to be a better system for retailers to secure cardholder data. I’m working on a story examining tokenization, one possible alternative to PCI compliance concerns. If you’re a retailer currently using tokenization, or a vendor offering the service, contact me if you’d like to offer insights.