"Shoe discounter DSW Inc. has agreed to settle Federal Trade Commission charges that its failure to take reasonable security measures to protect sensitive customer data was an unfair practice that violated federal law. "
I'm finding many people and companies I talk with DO NOT understand the following - If your company fails to take reasonable security measures to protect sensitive customer data , your company CAN be held liable by federal law.
When reviewing the allegations against DSW, I'm amazed (quoted from the FTC article):
- created unnecessary risks to sensitive information by storing it in multiple files when it no longer had a business need to keep the information;
- failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
- stored the information in unencrypted files that could be easily accessed using a commonly known user ID and password;
- failed to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and
- failed to employ sufficient measures to detect unauthorized access.
These days, one doesn't have look very far to learn industry best practices on storing Credit Card or banking information. Lets use VISA as an example - VISA has the Cardholder Information Security Program (CISP) .
VISA's policy is this: "CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data."
These standards are clearly spelled out by the Credit Card Industry in the Payment Card Industry (PCI) Data Security Standard. Anyone who is handling payment information should take this standard seriously and comply with it or face restrictions by the major card brands.
The date of compliance was June 30, 2005 - certainly DSW did not have the luxury of this standard back in March 2005 when they were compromised. HOWEVER, I'm still hearing from people who work at different companies who hold onto credit card data who STILL ARE NOT taking security of this data seriously nor are they even aware of the PCI Data Security Standard.
Certainly the PCI Data Security Standard is the "silver bullet" by any means, but it is a start. Ideally companies could use this standard more as a baseline and work from there to implement policies above and beyond the PCI Data Security Standard.
Better yet, for small/mid-size companies , maybe they should consider outsourcing payment services to a company who will properly hold and store this data appropriately (i.e. Verisign's Payment Services, etc.).