Eric M Russell (4/8/2014)
I hate to say it, but the only way we're every going to see any industry wide application of standard data security policies is through government regulation and oversight.... Building a data warehouse for the purpose of handling credit card numbers and other personal information is conceptually no different than transporting explosive chemicals on a busy interstate highway, if it's not regulated, then there will routinely be spills the public is at risk.
Highly regulated industries (banking, pharma, etc) have plenty of failures. So, in fact, do government agencies.
The problem with trying to clamp down tighter and tighter is that as long as there is a leak somewhere, there will be failures. We need to rethink the process EXPECTING occasional failures and minimizing the harm. One approach might be tokenizing data (credit card info etc) so that the actual data is never stored on site, only a token. With proper encryption, the tokens can only work from the system to which they were issued. Store A can use your token only from their authenticated system (Store B's token would be different) for a card purchase, if someone else gets the token it's useless.
Not a complete solution by any means, but we need to start thinking that information WILL leak, and work to control the damage done.
-- FORTRAN manual for Xerox Computers --