Posted in Insider Threat Management

PCI and the Playstation Effect: What we should learn from TJMaxx

Reading Time: 2 minutes

Last month’s highly publicized security breach of the Sony Playstation Network exposed customer data for over 70 million users. This included credit card data for some of these users. (Sony hasn’t detailed publicly exactly how many of the customers had CC data on file.)

It’s still  early in the investigation process, but I am quite sure that fallout from this event will mimic the events surrounding the TJMaxx breach in 2007:

Direct Impact – Just as TJMaxx had to cough up a big-bucks settlement ($41M), expect Sony to take a big hit too.  For TJMaxx, it was still a bit early in the security/PCI lifecycle. Sony should have known better by now and had more time to learn the lesson, so I expect their fine to be much  larger.

Indirect Impact  – From 2007-2009, the word “TJMaxx” was used as both a shibboleth and a warning beacon: “If you’re not up to date and ahead of the curve, you’ll become the next TJMaxx!!!”  From my viewpoint,  TJMaxx was one of the major reasons that PCI DSS compliance became such a hot button issue.

And that’s the bottom line of what I think we should learn now.  All signs seem to be pointing towards another major uptick in PCI compliance expectations, and you can expect to hear the words “Sony Playstation” a lot from CEO’s. And they will be right to be concerned. The PCI organization  is no longer playing the nice guy. They are changing gears, with the underlying message shifting from “Please comply” to  “Be compliant, or else!”

The uptick will really take off when Sony’s financial settlement is announced. I suggest that you stay ahead of the game. When your CEO comes to you all glazed-eyed with a copy of  the Wall Street Journal headlined “Sony pays up a gajillion dollars”, be ready with a clear response. If you can’t say to him/her: “Don’t worry, we are already compliant”, you should at least be ready to say “I know, and this is how we can become compliant…”

On that matter, I encourage you to check out this whitepaper on achieving PCI compliancy.

Oh, and also I suggest that you check your credit card statements if you are a Playstation gamer ;)