Blogger: Randall Gamby
I was going to write a blog on small to medium businesses (SMBs) getting PCI compliant, but last week a breach changed all that. Last Monday, Scarborough, Maine-based Hannaford Brothers Co., a regional Grocery Store chain the Northeast U.S. (and the store I shop at and pay using my debit card) had a breach that exposed up to 4.2 million credit and debit cardholders to potential fraud.
The result of this breach so far has been about 1,800 instances of fraud as reported by company officials, all company information has been removed from their website (I’m assuming while they reevaluate their transaction strategy and architecture) except for a news brief from the CEO, http://www.hannaford.com/Contents/News_Events/News/News.shtml and the page containing their privacy statements, including their PCI compliance statement:
Hannaford Supermarkets has been certified as compliant with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is recognized as the accepted industry security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations protect customer credit and debit card account data.
So the question has to be asked, “Are we putting too much faith in PCI compliance to really reduce our risk of exposure?” Apparently in the unfortunate case of Hannaford, whatever PCI compliance measures were taken to protect cardholder information weren’t enough to keep attackers from infiltrating the organization and stealing this valuable data. Plus the question has to be asked, “What is a grocery store chain that mainly does Point-of-Sale (POS) transactions doing storing this information anyway?” It’s not like cardholders have future payment options like they might have at Amazon.com--where their full credit card or debit card information is stored for checking out at a later date. I guess believing that shopping at a PCI compliant merchant, over a merchant that isn’t PCI compliant, will reduce your chance of having your credit card data stolen isn’t always accurate.
Now I’m not saying PCI isn’t important, after all this breach may have never been found if PCI measures weren’t put in place, but enterprises have to look beyond the task of being compliance and take whatever additional steps may be needed to secure their data against breaches.
In addition, on 22 January 2008, Visa released statistics on merchant compliance with PCI. Visa reported that as of the end of 2007, 77% of large merchants were PCI compliant (compared with 12% in March 2006) and that 62% of midsize merchants were compliant (compared with 15% at the end of 2006). These two merchant categories represent approximately two-thirds of Visa's transaction volume. With other credit card issuers lagging, it seems that there’s still a lot of risk in using your credit/debit card out there in the big consumer marketplace. So the warning of the week is to stay diligent in watching those credit and debit card statements and keep your guard up, whether the merchant has the PCI stamp of approval or not. In the meantime, I’ll be getting a new debit card (my magnetic strip was wearing out anyway).
We all recognize that 'Compliance' is not the same as 'Secure'.
PCI helps guide organizations towards 'better practices' but achieving PCI compliance certainly does not eliminate risk or solve the problem of data loss.
So, this begs the question: Why mandate it? Sounds similar to eating Broccoli? While many agree that this is good for the body, nobody mandates it. Put it another way, I want the the companies I do business with to be secure not compliant.
Seems that PCI (substitute your choice of mandated regulation) does not necessarily achieve the goals.
Recommended solution: Put teeth in the regulation that a commercial entity can 'understand' and the necessary goal is more likely to be achieved. Now the equation becomes 'Do I risk paying $1000 per ID on penalties or do I invest $500 to secure the infrastructure and associated processes'? While this is certainly not a guarantee to eliminate data loss, it will ensure a best effort - which is what most folks expect.
Posted by: Subbarayudu | April 02, 2008 at 04:32 PM
Hi Subbarayudu,
Thanks for commenting! I agree, regulations only go so far, but they ARE valuable. They raise awareness of consistent oversight (even if it doesn't go far enough), they require organizations to do a review of their current practices and begin to make changes towards better securing their data (it's hard to say how bad Hannaford's security postion was 'before' they became PCI compliance but I doubt they were better off than after being compliant), and they help security personnel obtain the funding and personnel that may have been hard to obtain from management if there wasn't outside pressure.
However with that said, as I stated in my blog, "...enterprises have to look beyond the task of being compliance and take whatever additional steps may be needed to secure their data against breaches..." There are bad guys out there and breaches occur much too often. And from the initial findings of the Hannaford breach that this may have occurred from the inside (along with other large breaches of information like the recent Societe Generale Scandal), enterprises have to understand they have to balance protection mechanisms against both external AND internal breaches from occurring. I saw a number somewhere that something like 70% of all breaches that actually COST an enterprise real dollars happens from the inside and I've been warning companies for years that those internal support personnel that manage their financial and access systems should be paid well, and be very happy. I'm an advocate of "vetting", and vetting well, personnel, and their managers, that maintain the internal "keys" to the "virtual vault". So there's a lot more to security management than regulatory compliance but we can't just throw them away. But in the same time, as you alluded, it's hard to put specific "teeth" in them and allow every enterprise to support them in a cost effective manner. The warning in all this is to have a well vetted risk management plan, with contingencies in case a breach occurs (the big red “stop” button), know what to do in case a breach occurs, and to periodically review these plans to verify they continue to adjust to known risks. Regulatory compliance must be maintained, but it should be just one piece of any risk management plan, but still an important one.
Posted by: Randall Gamby | April 03, 2008 at 10:05 AM