Haymarket Media, Inc. Mobile Version Subscribe Contact Us About Us Advertising Editorial SC UK SC Aus/NZ SC Magazine [pageid=1] ____________________ Search * Home * News + Features + Opinions + Newsletters + Sectors + Company Moves + News Bytes * Products + First Looks + Reviews + Group Tests + About Reviews + Industry Innovators 2008 * Blogs + The News Team Blog + The Data Breach Blog + SC Magazine Awards Blog * Buyers Guide * Whitepapers * Jobs * Events + 2009 Awards Winners + Editorial Webcasts + Vendor Webcasts + Digital Download + eConferences + SC World Congress 2009 + RSA Conference 2009 * Research * Subscribe + Newsletters + Subscribe to SC * Issue Archive * Topic Center: * Email Security * Compliance * Patch Management * Financial Services * Health Care * Retail Subscribe to our RSS feeds RSS | Login | Register [pageid=1] Home > News > Was Forever 21 wrongly certified PCI compliant? Was Forever 21 wrongly certified PCI compliant? Angela Moscaritolo October 03, 2008 * [icon_print.gif] Print * [icon_email.gif] Email * [icon_reprint.gif] Reprint * [icon_reprint.gif] Permissions * Font Size: A | A | A * * [pageid=1] Related Articles * Hannaford tells regulators how breach happened * After breach, Hannaford details IT security remodel * Implementing PCI-DSS: The top five issues to consider * Payment processor discloses potential monster breach More In News * Scam sites increasingly masquerading as Facebook, MySpace * Survey: Downturn in spending risks future information security * "Gumblar" website compromises increase 188 percent this week * Defense Department insider charged with espionage * Nearly half of IT security budgets deemed insufficient Tags * Compliance * Vulnerabilities & Flaws * Breaches & Exposures * Retail Breached clothing retailer Forever 21, which last week said it has been Payment Card Industry (PCI) compliant since 2007, apparently should have never been certified. The Los Angeles-based company told a retail blog this week that its PCI Data Security Standard assessor failed to unearth tens of thousands of credit card files that it was unknowingly storing despite being unauthorized to do so. Forever 21 suffered a major data breach when hackers gained access to 98,930 credit and debit card numbers. Shoppers were advised in a Sept. 25 letter that they may be affected if they used their cards on five dates in 2004 and four dates in 2007. But according to the StorefrontBacktalk blog, Forever 21 said its PCI assessor missed some credit card files that were accidentally being retained within other files -- yet the merchant was still certified. A Forever 21 spokesperson could not be reached for comment by SCMagazineUS.com, despite repeated tries. “What it says to the industry is, unfortunately, either the rubber stamp is occurring or [Forever 21] itself drove the [compliance] scoping and they made considerations on what to secure,” Ken Stasiak, president and CEO of Secure State, a PCI assessor, told SCMagazineUS.com on Friday. Stasiak said that while compliance mandates are beneficial, being deemed compliant does not always mean one is secure. He said he has seen a number of other clients who were certified as PCI complaint but suffered breaches. “Companies need to get out of the mentality that if they are compliant, they are secure,” Stasiak said. Sushila Nair, product manager of BT, agreed. She said high-profile data breaches are proof that security is needed and that retailers should be aiming for the baseline that PCI sets -- and higher. “PCI had raised the bar on security," she told SCMagazineUS.com. "It has at least put in a baseline of security. But without really implementing real-time monitoring, we don't have a clear picture of what's happening on our network." After a breach this year involving 4.2 million compromised credit and debit card numbers at the Hannaford grocery store chain, the retailer claimed it had been PCI compliant. However, Bob Russo, general manager of othe PCI Security Standards Council -- charged with administering the PCI guidelines -- disputed this. He said in a podcast this week with SCMagazineUS.com that he knows of no companies who have been breached while they have been in compliance with the standards. [pageid=1] * Most Popular * Most Emailed * Most Recent * U.S. missile defense information found in disk bought on eBay * $12.6 million spent so far to respond to Heartland breach * Report: Web app hacks can invade air traffic control systems * Bogus versions of Microsoft Windows 7 infected with malware * Malware most potent on social networks * Social Security Administration spoofed in phishing scam * Cloud computing providers require strong audits * Massive security updates released for Apple computers * Obama's 2010 budget calls for heavier cybersecurity spending * NERC president: Emergency cybersecurity help needed * $12.6 million spent so far to respond to Heartland breach * Massive security updates released for Apple computers * U.S. missile defense information found in disk bought on eBay * Cloud computing providers require strong audits * Nearly half of IT security budgets deemed insufficient * Malware most potent on social networks * Obama's 2010 budget calls for heavier cybersecurity spending * Data leakage prevention: Reducing risk * SC Magazine CSO of the year * Adobe's PDF vulnerability patched + Scam sites increasingly masquerading as Facebook, MySpace + Survey: Downturn in spending risks future information security + "Gumblar" website compromises increase 188 percent this week + Defense Department insider charged with espionage + Nearly half of IT security budgets deemed insufficient + Massive security updates released for Apple computers + Adobe's PDF vulnerability patched + Malware most potent on social networks + Fourteen fixes for PowerPoint this Patch Tuesday + Navigate your company through an M&A transition [pageid=1] Popular Tags Access Control Analyst Reports & Industry Surveys Anti Spam Application Security Breaches & Exposures Browser Flaws Compliance Consumer Threats Data Theft Security Email Security Finance Government High Tech Lawbreakers & Cybercrime Microsoft Mobile Endpoint Security Non-Microsoft Patches Patch Management Patch Tuesday PCI Compliance Retail Security Policies Spam Techniques Trojans Vulnerabilities & Flaws [pageid=1] Sponsored Links [pageid=1] [pageid=1] [pageid=1] [pageid=1] [pageid=1] [pageid=1] [pageid=1] [pageid=1] SC MAGAZINE US SITEMAP News Latest News Latest Features Latest Opinions Latest Company News Products Latest Products Latest First Looks Latest Reviews Latest Group Tests Blogs The News Team Blog The Data Breach Blog Media Podcasts Editorial Webcasts Vendor Webcasts Whitepapers Latest Whitepapers Buyers Guide Browse our Buyers Guide Jobs IT Security Jobs More Newsletters Subscribe Contact Us Advertising Editorial Permissions Reprints Subscribe to our RSS feeds RSS Topics Anti Spam Anti Spyware Anti Virus Apple Browser Flaws Consumer Threats Data Loss Prevention Emerging Threats Insider Threats Lawbreakers & Cybercrime Microsoft Non Microsoft Patches Patch Tuesday Security Policies Spam Techniques Trojans Phishing Vulnerabilities & Flaws Sectors Email Security Mobile Endpoint Security Patch Management IT Security Training Compliance Verticals Finance Government Healthcare Retail Events SC World Congress Awards This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization. Your use of this website constitutes acceptance of Haymarket Media's Privacy Policy and Terms & Conditions