"That [customer] data is the lifeblood of every marketing and promotion campaign that runs today," Rowen says. "If you take that away from retailers, they will be back in the Stone Age."
Congress has held hearings around credit card security in the past several years. In 2005, a House bill proposed a federal law regarding customer notification when personal data is exposed. That bill did not become law, but a few more breaches like TJX's and scrutiny could resume.
OPEN TO INTERPRETATION
There are several reasons merchants struggle to comply with PCI. One problem is a lack of understanding of just where and how credit card information flows through retail systems, including individual stores and corporate data centers. Many retail organizations also operate legacy architectures that lack sufficient security controls. For instance, credit card data may travel unencrypted between retail stores and headquarters, or even among systems within stores. Point-of-sale equipment and applications may log or store credit card numbers and magnetic stripe data, making these systems targets for thieves. PCI has mandated that retailers encrypt all transmissions of card data, and that point-of-sale equipment and applications shouldn't store card data, requiring retailers to upgrade their infrastructures.
While PCI provides more concrete guidelines than, say, Sarbanes-Oxley, merchants are quick to complain that it's both too specific and too vague. For instance, the standard requires use of stateful packet inspection firewalls. "What if I choose to use another technology that I believe is equivalent?" says Michael Barrett, chief information security officer of PayPal, a Level 1 merchant. "You have a whole big fight with your auditors or you hold your nose and do it."
Level 1 merchants also clash with QSAs over issues such as "compensating controls"--technologies or processes used in place of specific requirements on the PCI checklist. "We believe our controls are adequate, but they are different from how the standard is written," Barrett says. "So you argue with auditors. Those kinds of things make you want to tear your hair out."
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
There are many network courses that can address your present job's priorities and help you gain the needed skills to keep pace with industry changes and new technologies.
