× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2007

RE: data retention and encryption ala tjmaxx

By the way, data retention very subjective because it can very based on what
the business deems as the "need" to retain the data. For instance, we have
a very liberal return policy and therefore need to be able to process a
return against the original credit card with the minimum amount of hassle to
our customer. So we try to store the information longer than other
companies might deem necessary.

It all depends on what the individual company can justify as a "business
need" and what "risk" they want to take and how comfortable they are with
storing the information.

Deb


-----Original Message-----
From: midrange-l-bounces+debbiekelemen=hotmail.com@xxxxxxxxxxxx
[mailto:midrange-l-bounces+debbiekelemen=hotmail.com@xxxxxxxxxxxx] On Behalf
Of DebbieKelemen
Sent: Monday, April 02, 2007 4:08 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: data retention and encryption ala tjmaxx

We are currently in the process of going through the evaluation process. We
have hired an outside firm to assist us. We are also going through and
writing a whole series of policies which we have to start following. (I
should know I have been right in the middle of all of this.)



Luckily our software is already PCI compliant, except for the software we
use in the retail store and it is currently in the process of being
validated by the vendor. It all uses encryption to store the data.



The are a lot of rules to follow. But I know I wouldn't want to be in the
shoes of the folks at TJ Max for anything right now.



Debbie Kelemen

Sr. Programmer/Analyst



(719) 272-2617

email: <mailto:dkelemen@xxxxxxxxxxxxxxxx> dkelemen@xxxxxxxxxxxxxxxx

web: <http://www.chefscatalog.com/> www.chefscatalog.com





-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Al Mac
Sent: Saturday, March 31, 2007 9:15 AM
To: Midrange Systems Technical Discussion
Subject: RE: data retention and encryption ala tjmaxx



If you are a governmnet agency, it may be legitimate to ignore the rules.



Recently it was learned that people who pay for driver's licenses on-line

via credit card to state of Indiana DMV got breached because the state

government could not bother to adhere to the PCI standard. The state

probably has the clout to force credit card industry to look the other way

with them. There are tons of stories of similar breaches other states, and

federal government agencies.



But for everyone else, you break the rules, then down the line you can face

millions of dollars in FTC fines, tons of law suits, withdrawal of credit

card industry support which can be so important to some enterprises that

this ultimately leads to bankrupsy, such as with Card Systems.



Some have tried to use the excuse that they installed software in total

ignorance of what it was doing. That works for PR spin to some consumers,

but does not protect them from law suits, fines, and could undermine future

consumer confidence.



For more on this topic in general, check out discussion group

Dataloss http://attrition.org/dataloss

Archives <http://attrition.org/pipermail/dataloss>



Al Macintyre



By accepting credit cards (Visa at a minimum but pretty much everyone

else is on board) your customers have probably agreed to adhere to the

Payment Card Industry Data Security Standard.

https://www.pcisecuritystandards.org/ has a link to the standard itself.





I haven't read it through but my understanding is that the ramifications

for violating PCI can include heavy fines and loss of ability to accept

credit cards. I'd urge following whatever guidelines it provides.



--

John A. Jones, CISSP

Americas Information Security Officer

Jones Lang LaSalle, Inc.

V: +1-630-455-2787 F: +1-312-601-1782

john.jones@xxxxxxxxxx



-----Original Message-----

From: midrange-l-bounces@xxxxxxxxxxxx

[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jim Franz

Sent: Friday, March 30, 2007 1:18 PM

To: MIDRANGE-L@xxxxxxxxxxxx

Subject: data retention and encryption ala tjmaxx



With the TJ Max debacle playing out in the media, I need to make a

recommendation to several customers who handle credit card trans.

Is there a short & concise list of standard practices as to when to keep

customer data versus when not to...

I have searched the web and find that everyone seems to have a different

opinion, and much of it sounds like "talking heads..".

Perhaps an industry association recommendation, or something from the

card processors that I can get to (that is not a 800 page manual).

In one case, iSeries custom software for private (non-standard) cards in

addition to major labels. Another has pc based swipe machine and settle

software, but then keys the tran onto the iSeries (and I need to

recommend for both iSeries and pc).

None of these customers fit a "traditional" retailer model.

Jim Franz



--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,

unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a

moment to review the archives at http://archive.midrange.com/midrange-l.





This email is for the use of the intended recipient(s) only. If you have

received this email in error, please notify the sender immediately and

then delete it. If you are not the intended recipient, you must not keep,

use, disclose, copy or distribute this email without the author's prior

permission. We have taken precautions to minimize the risk of

transmitting software viruses, but we advise you to carry out your own

virus checks on any attachment to this message. We cannot accept

liability for any loss or damage caused by software viruses. The

information contained in this communication may be confidential and may be

subject to the attorney-client privilege. If you are the intended

recipient and you do not wish to receive similar electronic messages from

us in the future then please respond to the sender to this effect.



--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx

To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx

Before posting, please take a moment to review the archives

at http://archive.midrange.com/midrange-l.






As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.