Was Forever 21 wrongly certified PCI compliant?
Breached clothing retailer Forever 21, which last week said it has been Payment Card Industry (PCI) compliant since 2007, apparently should have never been certified.
The Los Angeles-based company told a retail blog this week that its PCI Data Security Standard assessor failed to unearth tens of thousands of credit card files that it was unknowingly storing despite being unauthorized to do so.
Forever 21 suffered a major data breach when hackers gained access to 98,930 credit and debit card numbers. Shoppers were advised in a Sept. 25 letter that they may be affected if they used their cards on five dates in 2004 and four dates in 2007.
But according to the StorefrontBacktalk blog, Forever 21 said its PCI assessor missed some credit card files that were accidentally being retained within other files -- yet the merchant was still certified.
A Forever 21 spokesperson could not be reached for comment by SCMagazineUS.com, despite repeated tries.
“What it says to the industry is, unfortunately, either the rubber stamp is occurring or [Forever 21] itself drove the [compliance] scoping and they made considerations on what to secure,” Ken Stasiak, president and CEO of Secure State, a PCI assessor, told SCMagazineUS.com on Friday.
Stasiak said that while compliance mandates are beneficial, being deemed compliant does not always mean one is secure. He said he has seen a number of other clients who were certified as PCI complaint but suffered breaches.
“Companies need to get out of the mentality that if they are compliant, they are secure,” Stasiak said.
Sushila Nair, product manager of BT, agreed. She said high-profile data breaches are proof that security is needed and that retailers should be aiming for the baseline that PCI sets -- and higher.
“PCI had raised the bar on security," she told SCMagazineUS.com. "It has at least put in a baseline of security. But without really implementing real-time monitoring, we don't have a clear picture of what's happening on our network."
After a breach this year involving 4.2 million compromised credit and debit card numbers at the Hannaford grocery store chain, the retailer claimed it had been PCI compliant.
However, Bob Russo, general manager of othe PCI Security Standards Council -- charged with administering the PCI guidelines -- disputed this. He said in a podcast this week with SCMagazineUS.com that he knows of no companies who have been breached while they have been in compliance with the standards.