1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data 3. Protect stored data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program 5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong
Access Control
Measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test
Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy 12. Maintain a policy that addresses information security
Policies and Prevention
Where was the weakness?
- Main Attack Vector: Wardriving
- Lack of compliance with PCI
- No WPA or WAP2
- Improper Data Storage
- Full Magnetic Strip
- CID
- PIN/PIN Block
- PAN Not Encrypted/Keys not Protected
- Plain Text Transfers of PII Credit Card Info During Transaction
- Poor Encryption/ No Policies on Standards
- Public Access Vulnerabilities
- Job Application Kiosks on the Main Network.
- Retaining Personal Information on Databases Without Purging
- TJX had poor traffic logs
- access control
- Identify and control sensitive data
- Secure implementations
Mastermind: Albert Gonzalez
Currently serving 20 year sentence in federal prison
TJX: Security Breach
by:
Mark Cooke, David Diserens,
Mike Gorman, & Steve Roe
Recommended Policies
- Full Compliance with PCI Standards
- Proper Encryption
- Regularly Purge Data
- PAN is Unidentifiable
- Internal Baseline Audits, Quarterly
- External Audits, Annually
The Incident
- TJX Corporation Servers Compromised Over WiFi
- Credit Card Information Stolen and Sold
- 45.7 Million Pieces of PII Were Stolen
Policies Recommended for Implementation by PCI
Conclusion
- Listed as the Largest Credit Card Theft in History
- Compromised data dated back to 2003
- Policies were already established
- Implementation was the problem
- Network was too open
- Cardholder data was retained for too long
- Card Data was not Encrypted Properly
- Businesses must not only take concern for their finances but their customers as well
References
Berg, G. G., Freeman, M. S., & Schneider, K. N. (2008, August). Analyzing the TJ Maxx Data Security Fiasco. The CPA Journal.
Evans, J. (2007, January 18). T.J. Maxx hack exposes consumer data. CNET News.
Jewell, M. (2007, March 30). T.J. Maxx theft believed largest hack ever. NBC News.
Lotzke, . (2007). The TJ Maxx Credit Card Incident. .
Payment Card Industry Data Security Standard, . (2010, October). Requirements and Security Assessment Procedures. , 34.
Payment Card Industry Data Security Standard, . (2011, August). Standards Overview. , 1.
Wireless Special Interest Group PCI Security Standards Council, . (2011, August). Information Supplement: PCI DSS Wireless Guidelines. , 23.