Saturday, March 31, 2007


The recent theft of nearly 46 million credit-card numbers over the past five years at TJX was most likely the work of a group of hackers who "installed what were probably rootkits and Trojans on the retailer's network at various locations," according to Larry Walsh of the VARBusiness Network.

My question: could TJX possibly have not been PCI-compliant? If not, why not? Why would they not have been in the "compulsory" category for a third-party audit? And if they passed, what does that say about the whole PCI process?

As alarming as the TJX situation is, I am more alarmed at the PCI situation, myself. Is the entire PCI infrastructure like airport security, a lot of aggravating razzmatazz that still doesn't provide security where it is needed most, i.e., against an "inside job"?

Any thoughts?

1 comment:

Anonymous said...

As someone who develops and maintains several PCI compliant sites I would have to say that PCI is just the bare minimum of what any responsible person/company should do. There are plenty of other aspects to security that aren't addressed in the PCI guidelines/requirements that need to be considered.

Thinking PCI compliance is going to ensure protection is much like thinking wearing a seat belt while driving is going to protect you from a car wreck.

Web Analytics