Could PCI Could Stem Voter Fraud?

It could happen if a report out of Ohio is any indication. Came upon this interesting post over at the TreasuryInstitute's blog on yet another use for PCI standards. They point to an interesting study (download here) that used PCI DSS as a benchmark to assess the integrity of voting systems in Ohio.

A team of computer scientists were commissioned by the Ohio Secretary of State to "assess the reliability, accessibility, and security of electronic voting systems used in Ohio." The team compared systems against a common baseline of information security practices -- in this case PCI DSS -- to determine the security risk in voting systems used in the state. The report notes that "The framework was originally designed to be applied to credit card processing systems, but easily extends itself to any form or critical data." It makes sense.

Ohio has long been considered a state crucial in the outcome of past presidential elections and voter fraud in that state has been a hot topic As a result of the security assessment, Jennifer Brunner, Ohio’s secretary of state, has said that voting system in Ohio is insecure and is proposing to replace all the states’ voting machines with optical-scan machines for a more secure and clear audit trail.

The TJMaxx Lesson

Visa has struck a deal with TJMaxx to settle what may be the biggest breach in customer data in history. TJMaxx has offered $40.9 M US as a settlement over their security incident and has until 2009 to be fully compliant with PCI DSS according to published reports.

The TJMaxx incident was certainly bad for consumer. Some estimates claim that close to 100 million customer accounts were compromised, while TJMaxx publicly acknowledged 45 million customer accounts were compromised in a statement last year. In an effort to prevent future issues, legislation was proposed in several states to compel businesses to secure customer data. Proposals were drafted in California, Illinois and a few other states.

Ironically, the "TJMaxx lesson" has been good for Level 1 retailers and the security industry providing PCI compliance solutions. The discount retailer had some unfortunate timing on their disclosure, and as the first big breach of customer data to gain broad exposure it quickly became the litmus test for other Level 1s. It is a great reference for what is compliant and what is not.

Under the recently announced deal, it seems that Visa will continue to work with TJMaxx and has agreed to reduce some fines. Some critics have said that the company has fared well throughout this ordeal and point to strong sales. But fines are just one of the costs that TJMaxx or any retailer caught in this situation also endure. Damage to reputation and other indirect costs are immeasurable.

An interesting part of the settement agreement between Visa and TJMaxx requires the merchant to promote PCI DSS and raise awareness of the risk of noncompliance for the next two years. Talk about being the poster child for PCI DSS Compliance!

December 31st marks the next major deadline in PCI Compliance as level 2 merchants must be in compliance. Level 2 merchants should heed the "TJMaxx lesson" and make sure they can prove their comformance. Being the first to fail is not a good thing we have learned. And retailers have a bad case of PCI Confusion according to eWeek's Evan Shuman.

To help minimize any confusion today we started offering a quick start Site Certification program priced from $139.99 US for a single IP address for the first year to help Level 2s (and others!) meet the upcoming deadline or just to reduce overall risks associated with payment card processing. It's usually $699, so that is an 80% savings to jumpstart your PCI Compliance program.

Call us. 801 705 5665. We love to talk about PCI :-) We can handle all of your PCI issues -- from forensics after an attack to scanning to auditing to designing a strategy tailored to your needs. We've seen it all. Really.