Since compliance is a pet peeve of mine, I felt compelled to expand on my colleague Seema Kathuria's insightful blog regarding the Target breach. She perceptively calls out that while Target "complied" with PCI DSS guidelines, it was no excuse for not stopping a data breach. Let's be honest, Target might have met the PCI DSS guidelines, but they certainly fell short in the "leadership," "communication" and "follow-up" categories.
What they obviously did not have in place was the right leadership to drive collaboration across the different organizations that were responsible for implementing those guidelines. So what exactly did this lack of leadership cost Target other than their name? We know that their fourth quarter profits were off nearly 50% and that's just the beginning. In fact, Target said the greatest risk it faces is the negative impact on its reputation and loss of confidence of its customers. They are also facing 80+ lawsuits.
So what has Target done to rectify the situation since the breach went public? Well, they bid farewell to current Chief Technical Officer Beth Jacob and began overhauling their Information Technology and Compliance division. They also started an outside search for two executive positions to fill two newly created roles for a chief compliance officer and chief information officer.
Bottom line: just because you “sign up” for the gym doesn’t mean you’re going to get fit. You’ve got to work to get in shape and you’ve got to work to stay secure. The same goes for PCI. Just because you pass a PCI audit and become PCI compliant does not mean you are secure. That is certainly a lesson Target won't forget for a very long time.