Retail Security: 'Knee-jerk' Standards Compliance Isn't Enough
Tim Greene writes on NetworkWorld:
Businesses certified to be compliant with the Payment Card Industry Data Security Standards (PCI DSS) keep suffering data breaches, but the problem may be more with the way businesses address the requirements than with the PCI standard, experts told an Interop gathering.More here.
Retail chain Forever 21, which last week revealed that nearly 99,000 customer payment cards may have been compromised, claimed it was PCI compliant, said John Pironti, the chief information risk strategist for Getronics.
“They claim to be PCI compliant, Hannaford’s [the supermarket chain that suffered a data breach] claimed to be PCI compliant,” said Pironti, who moderated an Interop panel on the subject of compliance.
But those firms may have restricted compliance auditors’ access to areas where they thought they would meet standards, said Jennifer Mack, vice president of Master Card Worldwide and a member of the PCI Security Council.