Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Public Teleconferences
Join CIO Executive Council members and participate in the following live teleconferences:
* Planning for Succession:
Models for IT Leadership Development, June 23
* Change Leadership at General Growth Properties: A
Pathways Leadership Development Seminar, June 25
* Managing Change: Centralizing Your IT Organization
July 29
Apply today for a FREE subscription to CIO Magazine!
Feature
Can Mid-Market Merchants Comply with PCI Standards In Time?
If you want to transact business with credit cards, you have to follow the rules: the payment card industry security standards. Companies that don't comply face fines or worse. So why aren't more mid-market merchants already in compliance?December 06, 2007 — CIO — Nearly a year after TJX Companies suffered what is believed to be the largest identity theft to have hit a retailer, credit card companies are laying down the law for any merchant who transacts business with plastic. By New Year's Eve, all businesses that handle between 1 million and 6 million credit card transactions a year (primarily mid-market companies) must comply with the payment card industry's new Data Security Standard (PCI DSS).
Companies that fail to comply with the standard's 12-point specification risk thousands of dollars in fines (from Visa, $5,000 to $25,000 a month), though it's hard to predict what noncompliance will really cost because the penalty structure is complex. Ultimately, Visa, MasterCard and the other payment card companies could revoke merchants' rights to make credit card transactions—a mortal wound for any consumer-oriented business. And yet despite the threat of penalties, experts believe that most mid-size companies won't make the deadline (larger companies with a higher transaction volume are already supposed to be compliant).
Compliance is hardly rocket science—or is it? Directives to use firewalls and change vendor-supplied default passwords are simply security best practices. But in other areas, merchants struggle to interpret the standards, haggling with auditors, consultants and sometimes the PCI Council itself over exactly how to protect cardholder data. And they often have to reach deep into cash-strapped pockets to come up with the funds for conducting a top-to-bottom security review.
Brian Shniderman, a director at Deloitte Consulting, estimates that 40 percent to 45 percent of merchants might need to overhaul everything from access management, ID control and physical security, to infrastructure, firewalls and antivirus measures.
"The industry is not sitting in a stable position with regard to PCI standards," he says.
Lessons from TJX
Version 1.1 of the PCI Data Security Standard (PCI DSS 1.1) was on the books in January 2007, when TJX Companies—operator of A.J. Wright, Bob's Stores, HomeGoods, Marshalls and T.J. Maxx—announced that hackers had breached its network. Estimates of the damage vary, but data thieves may have copped anywhere from 45 million to more than 100 million user accounts, from customer transactions going back to 2003.
According to The Wall Street Journal, the thieves may have begun their odyssey in a van parked near a St. Paul, Minn., Marshalls store, at which they pointed an antenna and picked up wireless data beamed across the store from registers and handheld scanners. The intercepted data allowed thieves to hack the main network in Framingham, Mass. and allowed them to download megabytes of stored customer records. At least three class-action lawsuits seeking damages on behalf of customers and banks are pending in federal court. (TJX is awaiting court approval of a proposed settlement with customers worth an estimated $256 million. On Nov. 30, 2007, the company announced a $40.9 million settlement with Visa through which it would pay banks for their claimed losses, provided banks agree not to pursue further legal action.)
Riverbed RiOS 4.0: Raising the Bar in Wide Area Data Services
Forrester Research: Defining a Mobile Enterprise Policy
Windows Mobile Users Capture Value from Mobile Applications
Mobility for the People- Ready Business
Mobility Solutions in Enterprise-Size Businesses: Quantifying the Return on Investment (IDC Study)
Symantec Data Center Foundation Solutions
Windows Mobile Series: Improving Mobile Security and Management Webcast
Solutions to the Toughest IT Challenges in Remote Offices Webcast
Get Control of Mobile Data (and More): Improve security and reduce costs with a mobility management platform (Video webcast)
The Universal Wireless Client: How to simplify mobility and reduce the cost of supporting mobile workers (Video webcast)
Advanced DNS and Traffic Management Solutions: The Keys to Enhancing and Securing your Enterprise Network
ProCurve Access Control Video
Resource Alerts
Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.
Lithuania: Attacks Focused on Hosting Company
Google Bows to Pressure, Adds 'Privacy' Link to Home Page
TSMC Says 2Q in Line Or Better After Major Customer Falls
Asustek to Offer Eee PC with Built-in 3G Wireless
Asustek's Latest Eee PCs Shipping in Asia in July
Lenovo Seeks Prestige in Price-Sensitive Market
Microsoft's Silverlight Draws Patent Suit
A Tale of Two City Wi-Fi's
Google Under Pressure As App Engine Requests Rise
Wall Street Beat: IT Slumps in First Half
How To Do Nearly Anything
Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.
Over 25 tutorials on everything from business intelligence to virtualization.
