Retails a tough business. You and your suppliers are trying to bully each other, your customers are trying to steal whatever they can, and you just cant get good employees anymore. But the biggest, baddest bully you have to deal with is Visa.
Visa is forcing you to spend big money upgrading equipment and procedures, paying consultants, buying new software and training people. Im on Visas side. Credit card security is important in the modern world, and if youre not part of the solution, then youre part of the problem. (Of course, they cant force you to do anything; you could just choose not to take Visa cards from your customers. Ha ha, I had to say that.)
You can get a good sense of the seriousness of the problem from the great reporting of our own Evan Schuman on the TJX fiasco. His most recent story talks about the fines Visa is imposing on TJX for their violations of PCI and other security rules. In fact, Visa is fining TJXs card processor, but such fines, it seems, are often passed on to the retailer.
Good, they cant be strict enough. The evidence of TJXs negligence gets more appalling all the time. Back in 2005 when TJXs CIO was trying to put off upgrading his companys wireless security from WEP (Wired Equivalent Privacy) to WPA (Wi-Fi Protected Access), it was well understood that WEP was pathetically insecure. Tools were easily available to compromise it, and once in, the door to the TJX network and their improperly stored cardholder data was open, and the hacker who attacked the company moved 80GB of data off the network using TJXs high-speed connections.
TJX will probably pay a large price in civil courts for their technological hubris, but I wonder whether it can possibly be enough. Back around the same time that TJX was blowing off their customers security, the CardSystems scandal was hitting the headlines. Their violations of both technical and business rules were so egregious that Visa and American Express both dropped the company as a processor. This was capital punishment for a company in that business, and before too long it sold out to a company not even in the processing business. CardSystems doesnt exist anymore, and many people there must have lost their jobs.
Its one thing to sign a death warrant for a credit card processor that few people have heard of (even if they are an important company). Dealing with a large retailer that has numerous famous brands is quite another. The point is to put the fear of God into the IT departments of large retailers to make full PCI compliance a high priority. That cardholder data is not something you get creative with; its other peoples identities. You use it and lose it.
Just the other day a release from Microsoft Research on cyber-crime hit the nail on the head on this point:
Security and privacy professionals see customer data as an asset to protect, while in functions such as marketing where personal data is collected and used, employees are more likely to see it as a resource to achieve business objectives.
Its thinking such as that ascribed here to marketing that leads to cardholder data being retained and eventually exposed.
While the Microsoft release goes to note that “…representatives from all three functions agree that the theft or loss of customer data has a potentially damaging impact on brand value and organizational reputation” clearly some data is not worth using for anything other than very limited means.
Visas got the right idea. Now they have issued a new set of requirements for applications software that processes cardholder data.
The next step is to let customers know which retailers are treating their card data securely and which arent. Even if they are now compliant, I know I wont ever trust TJX anymore.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer