Hannaford Emphasizes Difference Between Security and Compliance

Lora Bentley

When the data breach occurred at Hannaford Brothers, much was made of the fact that the company was supposed to be Payment Card Industry Data Security Standard compliant. Some observers even suggested that if Hannaford really was fully compliant, the breach would not have happened.


However, Enterprise Management Associates' research director Scott Crawford says such a viewpoint is naive. In a recent telephone interview, he told me:

To be clear about the difference between compliance and security, compliance does not necessarily mean that you're going to never experience an attack or never experience a threat that has a significant impact on the business. ... The real point of compliance is to try and assure a higher standard of risk management. What I mean by that is, if you think of the parallels in the physical world -- in health care, for example. Exercising regularly, eating properly does not necessarily mean you're never going to experience a heart attack or debilitating stroke. But overall, it means that your chances of not having one or surviving one or having less impact from one are greater.

According to a post at The Industry Standard by an InfoWorld writer, PCI Security Standards Council manager Bob Russo holds a similar opinion. He notes:

The truth is that achieving compliance is a moment in time, it's a snapshot, and you need to be vigilant and live with these issues on a daily basis; you can't get your compliance certificate and put it in a drawer and feel satisfied. It's still pretty unclear exactly what happened [at Hannaford], but the upside is that they've said they'd like to share information about their incident, and feedback from everyone involved in this process has been crucial in making our efforts successful.

EMA's Crawford says the events at Hannaford will have an impact on the way the PCI standards evolve -- even if it's merely a matter of making sure they keep up with the nature of the threats that the industry faces.

Add Comment      Leave a comment on this blog post
Apr 15, 2008 5:33 AM Michael Cherry Michael Cherry  says:
Lets perform a reality check, either we protect the data using encryption or we build safe networks.Safe networks that have any internet exposure including PCI are currently unattainable .the "cyber initiative," aimed at securing the government's computer systems against attacks by foreign adversaries and other intruders. It will cost billions of dollars, which the White House is expected to request in its fiscal 2009 budget Bush Order Expands Network Monitoring http://www.washingtonpost.com/wp-dyn/content/article/2008/01/25/AR2008012503261.htmlMICHAEL CHERRYPresident, Cherry Biometrics Inc.,http://www.cherrybiometrics.com/Vice Chairman, Digital Technology Committee,National Association of Criminal Defense Lawyers (NACDL) Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.