Will the Target fallout shift focus away from compliance?
While in the check-out line at Target recently, I observed an interesting exchange that shows just how deep the impact from Target’s massive data breach has been. While rummaging for bills in her wallet, the woman in front of me in line asked the cashier whether anyone still used their credit card at Target anymore. The cashier could only shrug, but the fact that two ordinary people were discussing the impact of a data breach was remarkable, and Target’s recent sales numbers show that people aren’t only nervous about using credit cards at Target, they are avoiding the retailer altogether. Only 33 percent of US households shopped at Target in January of 2014, a 22 percent decline from 2013, and Target’s lowest level of shopper penetration in the last three years.
This is bleak news for a company that has already generated an enormous amount of negative publicity that has led to a U.S Senate hearing, a restructuring of Target’s corporate leadership, and even a change in Target’s employee dress code.
“The days of a company skating through a data breach without any long-term damage are over.”
Those who have been in the security industry for a while know that this is certainly a change from what we’re used to seeing. Back in 2007 when retailer TJ Maxx suffered a breach almost as large as Target’s, it solicited a collective yawn from the general public. TJ Maxx saw its stock price suffer a temporary drop after the breach, but quickly recovered, and has performed extremely well in the years since the breach. This kind of pattern has been common, and caused many of us in security to question whether what we were doing was having any kind of impact. If suffering a breach didn’t affect an organization’s bottom line or reputation, was there any value in preventing them?
This attitude at times has made it difficult for CISOs to gain funding for security initiatives, as the impact from breaches was difficult to quantify for cost-conscious boards and executives.
Target’s sluggish sales numbers demonstrate that the days of a company skating through a data breach without any long-term damage are over. Target has a long road ahead of it in terms of restoring its brand and reputation, but Target is not an outlier in the retail industry. Consumers worried about protecting their identities and credit card information are misplacing their concerns if they confine them to Target specifically. The sheer number of retail sector data breaches – Neiman Marcus and Michael’s are two other recent victims – show that the problem is systemic. The retail and credit card industries both need to reexamine their security protocols.
“PCI – the compliance standard for retailers processing credit card data – is clearly not preventing POS systems from being hacked.”
PCI – the compliance standard for retailers processing credit card data– is clearly not preventing POS systems from being hacked. One thing PCI does is provide retailers with a false sense of security. Target and Neiman Marcus were both certified as PCI-compliant. As an industry, it’s time for retailers to recognize that PCI compliance may be a requirement, but it won’t shield your business from being breached and suffering the now tangible negative consequences. Consumers aren’t showing any sympathy for Target suffering the breach despite being PCI-compliant.
While retailers can’t avoid PCI, they can decide to make compliance with it their security floor and not the ceiling. Retailers may be in the spotlight right now, but this applies to organizations in all industries. Organizations should follow Aaron’s advice to achieve compliance in as simple a way as possible, and focus resources on identifying and addressing the most relevant threats.
It’s unfortunate that this breach is having such a negative economic impact on Target’s business and customers, but if anything positive comes out of this, it should be a wakeup call that security breaches can and do have significant business consequences. Striving for regulatory compliance only gets you a checkbox.
UPDATE: The fallout continues, as PCI auditor Trustwave has been sued by two banks claiming damages from the Target breach. While we’ll refrain from comment on the lawsuit, this episode is further evidence that equating compliance with security will lead to problems down the road for both enterprises and their customers.