Friday, December 21, 2007

Teeth or Gums? Which is Which for the Consumer?

I just read this article in the Boston Globe this morning, and a smirk crossed my mind in that it proves a widely held theory I share with my friends in this space that Identity Theft and a massive breach is simply the cost of doing business. Unbeleiveable. Or is It?

With services out there like Lifelock and the fact that the company who f'ed up covering the cost of monitoring, what's $100/year for their services or free for monitoring. You'll save at least that much shopping at TJX companies or the mom and pop shop with no overhead, and no security in place... Right?

Consumers don't stay angry in the face of a good deal.

That's a lesson emerging from the data breach at TJX Cos., the Framingham retailer that a year ago discovered an intrusion into its computer security that compromised as many as 100 million payment-card accounts. While the episode led to lawsuits from banks and many complaints, sales at TJX stores such as TJ Maxx and Marshalls have risen steadily this year.

Customers like Florida businesswoman Hanna Lipman help explain why. In April, Visa canceled one of Lipman's credit cards, saying it was compromised in the breach. By then, she had stopped going to the TJ Maxx store in Boca Raton.

But now, Lipman said, she is back to spending about $100 a month at the store, on pocketbooks and other items. She expects TJX will be extra-cautious about protecting her information.

"They got nailed from so many banks, I have to believe whatever can be done they have done," Lipman said.

Another customer whose card was canceled, Phil Dunkelberger, said he still shops at a TJ Maxx store in California, but pays by cash or check to reduce his risk of data theft. "I think they're much safer than other vendors who haven't had a breach and gone through the pain," he said.

Thursday, December 20, 2007

My New Blog Launched

I have decided to start a third blog to cover yet another hot topic in IT - Virtualization, over at my new Blog - Virtualization Stuff.


Tuesday, December 18, 2007

Is PCI a Scam?

I had to ask myself this question after two years working with clients to help solve their PCI issues and seeing only a handful of fines being handed out to the poster children of a breach. Here is why I pose the question...

If I am an issuer of cards, why is it good business to bite the hand that feeds me in levying fines against those organizations who provide me revenue? Is the revenue that gets generated more fraudulent than legitimate so it is in my best interest to shut down the source of the fraud? If there was that much fraud because of the identity theft that is associated with fraud, isn't there anything else that the issuaing card companies can do besides hand out fines. It just seems like it is adding insult to injury.

If I am a level 2, 3, or 4 merchant, and I look at what it will cost me to get compliant both in terms of technology and access to expertise to implement a solution, why wouldn't I roll the dice and wait to be shut down, especially if the cost of compliance puts me out of business? I will say for the record that the level 2,3, and 4 merchants are the most at risk for a breach because of their restricted access to capital and expertise and that ability to pay for it, so they are in a no-win situation, are they not?

If I look at what the core of the issue is, it is the databases used to store data. So why not lock down, encrypt, and render virtually inaccessible the records in said databases and leave it at that? Why not simply say that IF you store data (not a great idea but I know organizations do it), be sure it is encrypted all the way down to the cell level. It won't matter if I can get access to the database and copy it since it will be rendered useless unless I have access to some serious computing power.

Can't the card companies incent Oracle, Microsoft, etc. to ship the encryption with their databases out of the box to make this happen?

Labels: , ,

Monday, December 10, 2007

PCI e-Symposium from the ISSA

I sat in on a call with the ISSA and I wanted to get some additional data out there for those of us working to figure out PCI Compliance. Enjoy!


My Personal Resources