Advocates of the Payment Card Industry (PCI) Data Security Standard created by Visa and MasterCard say that adherence to this standard takes companies a long way toward protecting their customers from wireless poachers. Section 4.1.1, for example, states that wireless networks transmitting cardholder data must encrypt the transmissions by using Wi-Fi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. "Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN," the standard says. Companies are only allowed to use WEP if it's used in conjunction with WPA, WPA2, VPN, or SSL/TLS security technology, and the WEP must use a minimum 104-bit encryption key and 24 bit-initialization value.
"When the PCI data security standard first came out, there was only WEP," says Bob Russo, general manager of the PCI Security Standards Council, a group of payment card and other businesses that serve as stewards over the standard. "As the threats became more apparent and WEP became less and less affective, we changed the standard to keep up with what the bad guys are doing."
As more information is revealed about how TJX was attacked, the situation increasingly resembles the pickle that BJ's Wholesale Club Inc. found itself in a few years ago, when it had to settle with the Federal Trade Commission on charges that the company failed to adequately protect customer data. The FTC accused BJ's of failing to encrypt customer data when transmitted or stored on BJ's computers, keeping that data in files accessible using default passwords, and running insecure, insufficiently monitored wireless networks. The FTC has likewise launched an investigation into TJX's data breach.
Like TJX, BJ's was sued by financial institutions affected by fraud when customer data was stolen and spent millions of dollars to hire lawyers and then fix the problem. BJ's was forced to implement a comprehensive information-security program subject to third-party audits every other year for the next two decades. The FTC also required BJ's to designate at least one employee to coordinate and be accountable for the company's information-security program, which identifies risks to customer data, designs and implementations safeguards for that data, and ensures the company is compliant with the FTC's demands.
Meanwhile, banks, retailers, and payment organizations like Visa and MasterCard aren't likely to have seen the last of the fraudulent activity resulting from the TJX attack. A CFO for one West Coast credit union told InformationWeek that on Tuesday he received a notice from Visa advising him that Visa Investigations & Incident Management may in the coming days report more compromised accounts associated with the incident. "It looks like TJX and Visa have identified more fraudulent card use and are sending out yet another list of compromised cards," the CFO says. "This notification from Visa is basically saying. Get ready, here comes some more.'"