, SecurityFocus 2007-10-09
Story continued from Page 1
Despite the breaches, nearly a third to half of large retailers still do not adhere to the Payment Card Industry's best practices for data security, according to media reports. The deadline for compliance set by Visa already expired on September 30.
The PCI Data Security Standards (PCI DSS) stresses that most transactions do not need to store the full account numbers or the Card Verification Value version 2 (CVV2), the three- to four-digit number that allows cards to be verified, according to a Visa data security brief (PDF) on the topic. In most cases, truncated account numbers are the recommended way to store credit-card data, the brief stated.
Visa, currently in a quiet period following a global restructuring, would not comment on the issues, and Mastercard International could not immediately be reached for comment.
However, Prat Moghe, founder and CTO of auditing and protection firm Tizor Systems, stressed that, even if the retailers did not store credit-card account information, they will most likely want to keep data about their customers and transactions on hand for business analysis. Given that, the companies will still have to protect that data from online intruders, because it could still be used to perpetrate identity fraud, he said.
"The retailers do store a lot of data in addition to credit card data," Moghe said. "The risks of identity theft are not going away with credit-card information. I don't think that they are recognizing that data as a security issue as well."
For the most part, consumers are not clamoring for more security, according to analysts. In a survey of TJX customers, analyst firm Gartner found that, while 77 percent of those polled blame the company for the theft, only 22 percent would not shop at the company's stores. In September, TJX announced it had agreed on a settlement to end consumer lawsuits, but many -- including the judge in the case -- have criticized the settlement as lacking teeth.
While the healthcare industry and financial industry have strict compliance requirements mandated by law, retailers have largely escaped such a fate, but complying with PCI DSS is in everyone's best interest, said Moghe.
"If credit card data is unnecessarily being stored, does it have to be there? I think that is a legitimate point to bring up," he said. "They should, however, not be keeping any data that they don't need in the long term. And, in the short term, they need to secure the data that they do have."
If you have tips or insights on this topic, please contact SecurityFocus.