Remember all the problems retail giant TJX had in 2007? The company’s credit card security standards were not sufficient and first estimates had them losing $25 million. Did you ever hear what the final total was? It was actually closer to $256 million. This breach was devastating to the company not only from a monetary perspective, but the TJX brand also took a hit, and for a short time made them the poster child for credit card security non-compliance. Penalties for non-compliance for PCI DSS requirements are not discussed openly, however there are massive fines upwards of $100,000 a month depending on the violation.
Global organizations with many distributed credit card transaction terminals face unique challenges related to PCI DSS, as customer data is processed and transmitted at hundreds – or even thousands – of locations.
This is a challenge CORE is very familiar with. One of our customers, a US-based hotel company with more than 1,100 locations worldwide, uses CORE solutions to not only ensure compliance with PCI DSS mandates, but also to strengthen its security posture. Using CORE agents deployed across its widespread network – including multiple data points within each site (e.g. POS terminals at the front desk, restaurant, etc.) – the company is able to automatically test 100% of its network on an ongoing basis, vs. the 25% bi-annually that it was testing previously.
Beyond automated penetration testing, CORE’s solutions enable the hotelier to periodically conduct in-depth testing of a subset of exploits, test the effectiveness of its intrusion detection systems and monitor its security risk profile over time.
There’s no doubt that PCI DSS compliance can be difficult to achieve. Indeed, given the nature of the data being protected, the requirements should be stringent. With the appropriate security tools in place, however, you can avoid the kinds of data breaches experienced by companies like TJX.
Ray Suarez, Director of Product Management