TJX Lesson: PCI Compliance Might Stop Data Breaches

Two members of the PCI Standards Council who are database security experts say the way to prevent a TJX-type breach from happening at your institution is simple -- be compliant with the Payment Card Industry Data Security Standard.

See Also: 2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry

"The Canadian report was interesting. It focused on three things in its best practices for storing sensitive data," says Phil Neray, a vice president at Guardium. "TJX was cited for not having an active monitoring process. We also recommend a multi-layered security approach." This he likened to the security layers around a castle, first a moat, then a drawbridge, and a gate. "What might get through one layer, will hopefully get stopped at the next layer," Neray adds.

Most companies have a good "traditional" perimeter security set up, but have been slow to adopt newer technology, such as database monitoring. "Had TJX had some type of active monitoring in place, the breach would have been detected sooner, rather than going on for months and months."

Neray also points to the Canadian report, which mentions TJX was not compliant with PCI. "VISA has published information that show the majority of level one retailers and level two are not yet in compliance with PCI-DSS," he says. (Click here to see VISA's press release on compliance levels: VISA PCI Release.)

As with TJX's lack of compliance, Neray notes "Certainly a lot more they could be doing to get control of their data."

Was TJX too slow to move to the required WPA wireless standard? "There will always be holes in the environment where hackers or insiders can exploit data," Neray says. "If you have active monitoring in place, this allows you in almost every situation to detect when an intruder is cutting through your layered defenses."

The problem is not just the data, but the amounts being kept. "Organizations are storing increasingly more data about their customers, keeping the records for longer time periods, which explains the deployment of large storage area networks," says Amichai Shulman, an expert on Payment Card Industry (PCI) Data Security Standard and CTO at Imperva, an application data security company.

Shulman agrees with Neray about the need for more than just perimeter security. "While it is important that organizations protect the perimeter of their IT systems against intruders, in the case of TJX they should have implemented better encryption and access control on their WiFi networks, measures should also be taken to protect the data itself in the event that perimeter defense is compromised. This includes encryption and obfuscation of some data, as mandated for example by the PCI-DSS, as well as real-time monitoring and alert capabilities on suspicious and abnormal access to sensitive data."

Had TJX implemented measures to track access patterns to the credit card numbers and driver license numbers in its database, says Shulman, the story might have ended differently. "By looking at the time of day, source application and amount of extracted information they might have detected the breach earlier saving themselves a lot of money and saving their customers a lot of trouble."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network