Wednesday, August 27, 2008

Best Western: PCI Compliant and Hacked

While the details are still murky on the number of records impacted (somewhere between 13 and 8 million), it appears that we have a security breach of another high profile corporation claiming PCI compliance at the time of breach. SC Magazine has the story here.

Here is Best Western's statement on the breach:
“We comply with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We collect credit card information only when it is necessary to process a guest’s reservation; we restrict access to that information to only those requiring access and through the use of unique and individual, password-protected points of entry; we encrypt credit card information in our systems and databases and in any electronic transmission over public networks; and again, we delete credit card information and all other personal information upon guest departure. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.”
Obviously, the facts are still murky, but it will be interesting to see what, if any, protection PCI compliance will have from a liability perspective and a "safe harbor" perspective.

1 comment:

Rafal said...

PCI Compliant but not *actually secure*... that's interesting isn't it?

Makes you think about the purpose of PCI Compliance doesn't it? Is PCI Compliant meant to mean totally secure? Or does PCI Compliance describe a state of higher security, where you're "more secure" and "less risky"... I know people bash PCI Compliance regulations all the time, and I'm inclined to do the same but the reality is - it raises the bar (we'd like to hope) for application hackers and would-be data thieves.

... fascinating, this world of compliance vs. security, huh?