FTC Settlement Order with Dave & Busters

Retail & Hospitality Information Security (including PCI)

9 June 2010

Again via Office of Inadequate Security… their link is below.

So Dave & Busters’ FTC settlement is finalized and it illustrates another concern for merchants that aren’t taking a comprehensive approach to security - the burden of being monitored by the FTC. Here’s the quote from the press release:

The settlement requires Dave & Buster’s to establish and maintain a program designed to protect the security, confidentiality, and integrity of personal information collected from customers. It also requires the company to obtain independent, professional audits, every other year for 10 years, to ensure that the security program meets the standards of the settlement. In addition, the proposed settlement contains standard record-keeping provisions to allow the FTC to monitor compliance.

This is a huge deal - having an ‘independent, professional audit’ of your security program every other year is not covered by your PCI Report on Compliance. It is an additional audit requirement that goes well beyond PCI’s card-specific requirements and requires a far more in-depth review of your full security program. It also requires putting in place the ’standard record-keeping provisions to allow the FTC to monitor compliance.’ In other words - it’s not getting ready every year for your QSA, it’s maintaining the appropriate information and providing access to that information 365 days a year. Dave & Buster’s is going

to be requ

ired to document every aspect of their entire security program and be able to demonstrate it’s effectiveness to auditors and the FTC.

Add this to your list of stuff to worry about and make sure that, if your executive man

agement team isn’t putting the proper focus on security and compliance, that they understand that this additional concern is real - it’s not just about PCI. And if they think maintaining PCI compliance is expensive…..

FTC Approves Final Settlement Order with Dave & Busters | Office of Inadequate Security.

Dave & Buster’s Settles FTC Charges it Failed to Protect Consumers’ Information (ftc.gov)
Man sentenced for hacking restaurant card data (deurainfosec.com)
Hacker’s record credit card theft fetches 20-year sentence (go.theregister.com)

Newsletter

Site Feeds

RSS Feed

Shared Articles

Disclaimer

Views and opinions expressed in this blog are mine and mine alone (unless I'm commenting on someone else's post or something). This blog is entirely independent from any corporate entity and does not, necessarily, reflect the views and opinions of any company that I work for or with. Thanks.

Connect

I'm all for connecting - here are the tools that I use online to connect to people and the community. This link presents a lot of connection options including LinkedIn and Facebook...

LinkedIn Directly

Visit Our Sponsors

Get Free Shipping on Orders of $69 or More.

Photo Attributions

The photos that I'm now using on the site are all from Flickr and the creators were kind enough to release them under CC. Some of them are attributed in the posts, but the thumbnails are not:

welome (the enter sign)
Uploaded on September 14, 2008
by Robert Couse-Baker

Security (the safe)
Uploaded on February 25, 2008
by Anonymous Account

Osco Drug, Salem NH (the outside of the store)
Uploaded on September 16, 2008
by NNECAPA

locked steel (the lock)
Uploaded on December 13, 2006
by Darwin Bell

Credit Card Theft (the hand)
Uploaded on October 16, 2007
by Don Hankins