The recent data breach at Target stores has much of the country keeping a closer eye on their bank statements and wondering how such a thing could happen. The event will resonate throughout the entire industry and changes in the Payment Card Industry Data Security Standards are almost a sure thing. The closest historical comparison to this breach was 2005when 45.6 M card numbers were stolen from TJ Max Stores, this resulted in a settlement of $9.75M and opened the eyes of the Payment Card Industry to the vulnerability of its sensitive data. In that case TJ Maxx was not compliant with 9 of the 12 PCI Security Standards for encryption and storing cardholder data. Let’s take a look at the current standards to see if there is anything Target did (or should have done) to prevent such an enormous data breach. Potentially noncompliant areas are in bold.
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and contractors
By our count, there are at least seven potential areas where Target could have opened the door for hackers and criminals to get their hands on your sensitive card data. Time will tell what exactly they did wrong, however they did do the right thing by coming forward early. While this is the first data breach in a while, it will certainly not be the last.
What does this mean for small business owners?
- Get ready for some changes. The PCI board and congress will most likely respond, as such events threaten the industry. It shows us a clear example of just how important PCI Compliance is.
- While your business might not have millions of customers, any breach of data can be extraordinarily costly. Therefore preparation is important, so make sure that you are compliant.
- Merchant Service Providers WILL use this event as leverage. Just as they did with the original PCI Mandate, Processing companies will use this event to scare merchants into costly, unnecessary, and ineffective PCI programs. Inform yourself of what PCI compliance exactly does, how your program addresses it, and how much it costs relative to the market (hint: we do it for free!).
Time will tell the true costs of the Target breach, but for now the key takeaway for small businesses will be preparation. If Target had followed the PCI DSS standards, then it is clear that their data would not have been compromised. Stay vigilant and make sure you do not become a target.