Target Lawsuit Puts Bullseye on PCI Compliance

03.28.14
James Mulvey

How can companies stay secure in an ever-changing security landscape?

Target can’t catch a break.  First it’s their big holiday hacking scandal where they lost the credit card info of nearly 40 million customers to a hacker.  Now, they’re getting sued by two banks over the breach, with the lawsuit bringing in the importance of PCI DSS compliancy.

pci compliance and target

Target and PCI compliance

We’ve provided a nice rundown of what exactly PCI DSS is here, but to give you the basics:  it’s the required security measures that all institutions that plan on storing and transferring credit card data must follow.  Basically, all data needs to be encrypted when stored or transferred, and required security protocols must be met including firewalls, updated antivirus protection, as well as monitoring and limiting network and data access.  To become PCI compliant, an institution must be audited by an approved third-party to make sure their security measures are up to par.

Target and the security firm they hired, Trustwave, are getting their heads served on a platter because the lawsuit from the two banks states that this wouldn’t have happened if Target and Trustwave had followed PCI compliancy and took proper security measures against threats.  The lawsuit states, “The hackers could not have accessed Target’s internal computer network and point-of-sale (‘POS’) system and stolen its customers’ sensitive payment card information and PII but for Target’s inadequate security protections — including its failure to comply with PCI DSS.”

With new security threats coming up all the time, compliancy can be hard to keep up with, especially in the wake of new technologies that might also provide new holes for hackers to access.  You can be PCI compliant in April, but if you add new software or change firewall settings, you may not be compliant in May, so maintaining compliancy can be tough.

As the article points out, the problem may lie with the actual audits themselves.  Beyond some shady certifications or auditing companies using their products to get an advantage, security issues still need to be updated.  It’s been shown that the existing security measures don’t work, so why can’t there be an update?  Maybe add better firewalls, threat detection systems, and all-encompassing encryption for stored data.

[Wired]

Leave a Reply

<>