Retail and PCI DSS
For better or worse, TJX Companies, which operates retail outlets including the T.J. Maxx and Marshalls chains, have become a “poster child” for inadequate security measures, and subsequent risk and compliance programs to influence them. In their earnings report for the second quarter of 2007, TJX took a $118 million after-tax charge for the quarter to cover current and potential costs arising from a major customer data breach first disclosed in January 2007. The company also said it may record an additional $21 million in non-cash charges in the future. This TJX earnings report should eliminate any remaining questions about whether responding to data breaches costs more than protecting customer data. Gartner estimates that, in addition to costs TJX has already recorded to cover current and future legal costs and consulting fees, the company will have spent an estimated total of $125 million before-tax dollars on security improvements, both before and after the breach.
The Challenge
The retail industry faces tremendous pressure to manage payment transaction risk flowing through its operations from customer credit cards. While some in the retail industry believe the risk should fall on the banks and not on retailers, the Payment Card Industry Data Security Standard (PCI DSS) designed to protect IT system breaches of personal credit card holder’s information, is here to stay. In fact, the PCI DSS mandate is working its way through to smaller retail operations where it is estimated 80% of the potential risk resides.
The Approximate Number of North American Retail Merchants Subject to PCI DSS
| No. of Merchants | Transactions | % compliant |
|---|---|---|
| ~ 350 | Level 1 = 6 million+ annually | 65% (50% in remediation) |
| ~ 750 | Level 2 = 1 to 6 million | 40% |
| ~15,000 | Level 3 = 20k to 1 million | 33% |
| ~ 6 million | Level 4 = up to 20k | 19% (80% of estimated risk) |
Source: Gartner; and Digital Transactions News
In addition to PCI DSS, retailers must also satisfy a variety of IT-related risk and compliance regulations and mandates banks and financial services enterprises must comply with include:
- SOX 404 (Sarbanes-Oxley Act, section 404) – requires publicly traded companies to protect the integrity of financial reporting information
- California SB 1386 – also requiring protection of personal information, this law is on track to become a federal law
- EU Data Protection Directive – requires protection of personal information for businesses operating in EU countries
The Solution
Agiliance IT-GRC 3.0 provides retail enterprises with the ability to:
- Automate the PCI DSS process not only internally but among vendors and partners, reducing the cost of compliance by up to 70%
- Establish a resilient IT-GRC business process providing a holistic, real time view into risk and compliance across the enterprise, including partners and the supply chain
- Implement a robust operation IT risk program including utilization of COSO and AS/NZ 3460 standards applied to the IT organization
- Demonstrate continuous multi-regulatory compliance with a “test once, comply with many capability” dramatically reducing the cost, quality and cycle time of testing and reporting
- Integrate and automate technical controls by leveraging existing IT investments in security and change management systems by taking in data from vulnerability scanners, CMDBs, IdM systems, Segregation of Duty systems and others to automatically generate reports, drill down to critical controls, and establish priorities based on areas with the highest risk
- Migrate over time to standard control frameworks such as ISO 17799/27001 and CobiT
- Create enforceable policies and monitor controls across functional and geographical boundaries and the supply chain.