PCI compliance often ineffective in stopping data thieves

pci_compliance_crop300px1In concept, at least, the Payment Card Industry Data Security Standards, form a useful and necessary layer of protection, well- designed for the specific task of repelling  thieves from getting their mitts on credit- and debit- card account numbers and PINs.

Now comes the Ponemon Institute and tech security firm Imperva with results of a survey underscoring what cyber criminals — and merchants and banks know all too well — PCI is having only a limited effect.

PCI is a set of voluntary requirements established by Visa and MasterCard to help organizations protect cardholder information. Merchants and financial firms that don’t comply with PCI rules can be fined by VISA and MasterCard.

Ponemon and Imperva surveyed more than 500 companies globally that cumulatively generate annual revenues of $5.6 billion and found:

  • 71% of companies do not treat PCI compliance as a strategic initiative, yet 79% have experienced a breach.
  • 55% only focus on credit card information and do not secure Social Security numbers, driver’s license numbers, and bank account details.
  • Consumers are more at risk doing business with smaller companies: only 28% of these comply with PCI as opposed to 70% of companies with 75,000 or more employees.

Verizon’s forensics show similar pattern

verizon_reportcover300px_edited-1Imperva’s  findings fit hand-in-glove with Verizon’s 2009 Data Breach Investigations Report. LastWatchdog highly recommends anyone curious about commonalities in actual database breaches to read Verizon’s 2009 report and it’s predecessor, the 2008 Data Breach Investigations Report.

Verizon closely examined patterns in more than 590 data breach cases from 2004 through 2008, in which 515 million records — mostly payment card data — were ripped off. In each of these cases, Verizon was hired to do a CSI-like forensic probe. It’s crack investigators found, among other things, that 81% of the companies breached in 2008 did not comply with PCI.

TJX, parent company of TJ Maxx and Marshalls, was famously not in compliance with PCI rules in 2007, when hackers extracted some 94 million cardholder records over the course of approximately eight months, then a record.

But Hannaford Brothers grocery store chain was in compliance when it lost 4.2 million cardholder  records. So, too, was Heartland Payment Systems when it ignominiously broke TJX’s record, losing 130 million payment card records over a period of 13 months. Alberto Gonzalez of Miami has plead guilty to playing a role in the TJX hack, and faces charges related to the Hannaford and Heartland hacks.

Going through the motions

schlomo_kramer_crop175pxHeartland “went through the motions without actually implementing a meticulous and rigorous data security program,” says Imperva CEO Shlomo Kramer. “Companies that don’t use PCI as a strategic initiative will cover only credit card numbers and not other data that’s equally problematic to lose like Social Security numbers.”

Kramer notes that the PCI rules only require companies to focus on payment card data; other data-such as social security numbers, birth dates and driver’s license numbers-aren’t covered.

Still, PCI is having a positive impact by “bringing security to the table and forcing companies to think about data protection,” says Kramer. “Many companies-27% in our survey-have used PCI to force data security high onto the executive and corporate priority list.”

Photo of Kramer by Impreva; graphic by http://www.thewebshop.ca/home

By Byron Acohido