Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Loading…
Transcript

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other

security parameters

Protect Cardholder Data 3. Protect stored data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability

Management Program 5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement Strong

Access Control

Measures 7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test

Networks 10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information

Security Policy 12. Maintain a policy that addresses information security

Policies and Prevention

Where was the weakness?

  • Main Attack Vector: Wardriving

  • Lack of compliance with PCI
  • No WPA or WAP2
  • Improper Data Storage
  • Full Magnetic Strip
  • CID
  • PIN/PIN Block
  • PAN Not Encrypted/Keys not Protected
  • Plain Text Transfers of PII Credit Card Info During Transaction
  • Poor Encryption/ No Policies on Standards
  • Public Access Vulnerabilities
  • Job Application Kiosks on the Main Network.
  • Retaining Personal Information on Databases Without Purging
  • TJX had poor traffic logs
  • access control
  • Identify and control sensitive data
  • Secure implementations

Attackers

Mastermind: Albert Gonzalez

Currently serving 20 year sentence in federal prison

Ten Other Hackers

Accomplices:

TJX: Security Breach

by:

Mark Cooke, David Diserens,

Mike Gorman, & Steve Roe

Recommended Policies

  • Full Compliance with PCI Standards
  • Proper Encryption
  • Regularly Purge Data
  • PAN is Unidentifiable
  • Internal Baseline Audits, Quarterly
  • External Audits, Annually

The Incident

  • TJX Corporation Servers Compromised Over WiFi
  • Credit Card Information Stolen and Sold
  • 45.7 Million Pieces of PII Were Stolen

Policies Recommended for Implementation by PCI

Conclusion

  • Listed as the Largest Credit Card Theft in History
  • Compromised data dated back to 2003
  • Policies were already established
  • Implementation was the problem
  • Network was too open
  • Cardholder data was retained for too long
  • Card Data was not Encrypted Properly
  • Businesses must not only take concern for their finances but their customers as well

References

Berg, G. G., Freeman, M. S., & Schneider, K. N. (2008, August). Analyzing the TJ Maxx Data Security Fiasco. The CPA Journal.

Evans, J. (2007, January 18). T.J. Maxx hack exposes consumer data. CNET News.

Jewell, M. (2007, March 30). T.J. Maxx theft believed largest hack ever. NBC News.

Lotzke, . (2007). The TJ Maxx Credit Card Incident. .

Payment Card Industry Data Security Standard, . (2010, October). Requirements and Security Assessment Procedures. , 34.

Payment Card Industry Data Security Standard, . (2011, August). Standards Overview. , 1.

Wireless Special Interest Group PCI Security Standards Council, . (2011, August). Information Supplement: PCI DSS Wireless Guidelines. , 23.

Learn more about creating dynamic, engaging presentations with Prezi