Credit Card Security Not Up To Snuff
Tuesday, April 29th, 2008WSJ - April 29, 2008 - A9
Data breaches occur even at companies that fully comply with the Payment Card Industry Security Standards Council, known as PCI. Among other things, these standards require retailers to encrypt or mask customer data, regularly update antivirus software, restrict access to card data to only certain authorized personnel and protect stored information with firewalls. Clearly, even when retailers do everything they are supposed to do, customer financial information can be lost or stolen. Some recent examples include:
- Hannaford Bros. (New England supermarket chain) - Data for 4.2 million credit card holders may have been stolen
- Okemo Mountain Resort (Vermont ski resort) - Lost card data for 50,000 customers
Security experts say that many of these attacks could have been prevented by installing encryption at the cash register (for less than $100 per terminal), but this is not required under PCI. Still that cost adds up and may be prohibitive for smaller merchants. Even if these point-of-sale sites are shored up, thieves will still attack merchants and merchant processors because the data stolen is so valuable.