Best Western: PCI Compliant and Hacked

While the details are still murky on the number of records impacted (somewhere between 13 and 8 million), it appears that we have a security breach of another high profile corporation claiming PCI compliance at the time of breach. SC Magazine has the story here.Here is Best Western's statement on the breach:

"We comply with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We collect credit card information only when it is necessary to process a guest's reservation; we restrict access to that information to only those requiring access and through the use of unique and individual, password-protected points of entry; we encrypt credit card information in our systems and databases and in any electronic transmission over public networks; and again, we delete credit card information and all other personal information upon guest departure. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards."

Obviously, the facts are still murky, but it will be interesting to see what, if any, protection PCI compliance will have from a liability perspective and a "safe harbor" perspective.

PCIInfoLawGroup LLPBreach