The massive scope of the CardSystems Solutions security breach earlier this month is likely to fuel even more calls for new data-protection regulations and tougher enforcement of existing ones, security managers said last week.
But they cautioned that any proposed measures need to be tempered with pragmatism.
"I"m personally concerned about a knee-jerk reaction," said Karen Worstell, chief information security officer at Microsoft Corp. While guidelines for protecting specific systems are acceptable, "I don"t want the government to prescribe technology fixes," she said.
"Intervention is good," said Rich Baich, CISO at ChoicePoint Inc., an Alpharetta, Ga.-based data aggregator that disclosed a major data compromise earlier this year. "But the toughest part about legislation right now is you don"t know where it"s coming from and you don"t know what to expect."
Baich noted that state and federal legislation could conflict, causing headaches for IT operations. "Hopefully, we"ll see some sort of federal guidelines," he said.
It"s also impractical to mandate specific technical fixes without accounting for different classes of data or where it may exist, said a global information security director at a financial services firm who spoke on condition of anonymity.
All the same, it"s very likely that the spate of incidents will renew calls for new data-protection controls, he said. In fact, expect to see such controls being mandated both internally and in situations where companies may be outsourcing key processes to third parties. From a due-diligence standpoint, it"s a good idea to put controls in place for monitoring activity on the service provider network, the security director added.
The CardSystems incident will likely also lead to tougher enforcement of industry rules that require that companies managing credit card information comply with the Payment Card Industry (PCI) data security standard that"s being pushed by the major credit card vendors [QuickLink 53943], analysts said. The deadline for PCI compliance is Thursday.
"The PCI standard is germane to every entity that handles cardholder information," said Michael Petitti, a senior vice president at AmbironTrustWave, a Chicago-based provider of security services for the credit card industry.
Achieving and maintaining compliance with the rules -- which are already in effect for large companies -- will become an absolute must, Petitti said.