Blogger: Randall Gamby
I was going to write a blog on small to medium businesses (SMBs) getting PCI compliant, but last week a breach changed all that. Last Monday, Scarborough, Maine-based Hannaford Brothers Co., a regional Grocery Store chain the Northeast U.S. (and the store I shop at and pay using my debit card) had a breach that exposed up to 4.2 million credit and debit cardholders to potential fraud.
The result of this breach so far has been about 1,800 instances of fraud as reported by company officials, all company information has been removed from their website (I’m assuming while they reevaluate their transaction strategy and architecture) except for a news brief from the CEO, http://www.hannaford.com/Contents/News_Events/News/News.shtml and the page containing their privacy statements, including their PCI compliance statement:
Hannaford Supermarkets has been certified as compliant with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is recognized as the accepted industry security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations protect customer credit and debit card account data.
So the question has to be asked, “Are we putting too much faith in PCI compliance to really reduce our risk of exposure?” Apparently in the unfortunate case of Hannaford, whatever PCI compliance measures were taken to protect cardholder information weren’t enough to keep attackers from infiltrating the organization and stealing this valuable data. Plus the question has to be asked, “What is a grocery store chain that mainly does Point-of-Sale (POS) transactions doing storing this information anyway?” It’s not like cardholders have future payment options like they might have at Amazon.com--where their full credit card or debit card information is stored for checking out at a later date. I guess believing that shopping at a PCI compliant merchant, over a merchant that isn’t PCI compliant, will reduce your chance of having your credit card data stolen isn’t always accurate.
Now I’m not saying PCI isn’t important, after all this breach may have never been found if PCI measures weren’t put in place, but enterprises have to look beyond the task of being compliance and take whatever additional steps may be needed to secure their data against breaches.
In addition, on 22 January 2008, Visa released statistics on merchant compliance with PCI. Visa reported that as of the end of 2007, 77% of large merchants were PCI compliant (compared with 12% in March 2006) and that 62% of midsize merchants were compliant (compared with 15% at the end of 2006). These two merchant categories represent approximately two-thirds of Visa's transaction volume. With other credit card issuers lagging, it seems that there’s still a lot of risk in using your credit/debit card out there in the big consumer marketplace. So the warning of the week is to stay diligent in watching those credit and debit card statements and keep your guard up, whether the merchant has the PCI stamp of approval or not. In the meantime, I’ll be getting a new debit card (my magnetic strip was wearing out anyway).