TJX Lesson: PCI Compliance Might Stop Data Breaches
Two members of the PCI Standards Council who are database security experts say the way to prevent a TJX-type breach from happening at your institution is simple -- be compliant with the Payment Card Industry Data Security Standard.
"The Canadian report was interesting. It focused on three things in its best practices for storing sensitive data," says Phil Neray, a vice president at Guardium. "TJX was cited for not having an active monitoring process. We also recommend a multi-layered security approach." This he likened to the security layers around a castle, first a moat, then a drawbridge, and a gate. "What might get through one layer, will hopefully get stopped at the next layer," Neray adds.
Most companies have a good "traditional" perimeter security set up, but have been slow to adopt newer technology, such as database monitoring. "Had TJX had some type of active monitoring in place, the breach would have been detected sooner, rather than going on for months and months."
Neray also points to the Canadian report, which mentions TJX was not compliant with PCI. "VISA has published information that show the majority of level one retailers and level two are not yet in compliance with PCI-DSS," he says. (Click here to see VISA's press release on compliance levels: VISA PCI Release.)
As with TJX's lack of compliance, Neray notes "Certainly a lot more they could be doing to get control of their data."
Was TJX too slow to move to the required WPA wireless standard? "There will always be holes in the environment where hackers or insiders can exploit data," Neray says. "If you have active monitoring in place, this allows you in almost every situation to detect when an intruder is cutting through your layered defenses."
The problem is not just the data, but the amounts being kept. "Organizations are storing increasingly more data about their customers, keeping the records for longer time periods, which explains the deployment of large storage area networks," says Amichai Shulman, an expert on Payment Card Industry (PCI) Data Security Standard and CTO at Imperva, an application data security company.
Shulman agrees with Neray about the need for more than just perimeter security. "While it is important that organizations protect the perimeter of their IT systems against intruders, in the case of TJX they should have implemented better encryption and access control on their WiFi networks, measures should also be taken to protect the data itself in the event that perimeter defense is compromised. This includes encryption and obfuscation of some data, as mandated for example by the PCI-DSS, as well as real-time monitoring and alert capabilities on suspicious and abnormal access to sensitive data."
Had TJX implemented measures to track access patterns to the credit card numbers and driver license numbers in its database, says Shulman, the story might have ended differently. "By looking at the time of day, source application and amount of extracted information they might have detected the breach earlier saving themselves a lot of money and saving their customers a lot of trouble."