Fallout From TJX Credit Card Scandal - Page 2

Page 2 of 2

Gartner security analyst Avivah Litan concurs. "These systems weren't built with security in mind, and when they were rolled out, there weren't cybercriminals this sophisticated," she said.

Litan adds "I don't think it's practical to expect retailers to plug every hole. Certainly they can deal with the sloppy holes. They've made a lot of progress with PCI compliance. But the blame has to go around a little bit. It's also the banks' problem. The point of sale systems are owned by the banks, and they need to upgrade their payment systems architecture."

The importance of monitoring

Still, there is some liability for the stores, because they didn't monitor their own systems, argued Anthony James, vice president of products for Fortinet, a threat management provider.

"You need to monitor your database and provide some security mechanism when it looks like an abundance of data is being downloaded in one SQL statement," he said. "It looks on the surface that there was not a lot of due diligence done on the back end. There are plenty of tools out there that look for that kind of activity so it can be stopped."

Both James and Sinha said a multi-layered security approach is needed. "What we preach is a multilayered security environment, to secure your database, your apps, and your access points. So if someone did get past your wireless access point, you have a second tier of security to look for someone deploying a Trojan horse," said James.

Sinha said stores should not broadcast their wireless network's ID, a suggestion James also offered, and should use strong encryption -- WPA2-Enterprise – and monitor both attempts at intrusion and sending data out. "Make sure you have wireless monitoring and intrusion detection deployed, to make sure no rogue devices try to connect to your network," he said.