Hannaford and PCI

There is little definitive to say at this point about the massive theft of credit and debit card information reported Monday by Hannaford Brothers, a grocery retailer based in Maine. The firm revealed that about 4.2 million credit and debit card records have been stolen over a period of about three months.

This Dark Reading blog does a game job of trying to handicap what went wrong from the rather obscure announcement the company made. The writer features the opinions of Rich Mogull, an analyst from Securosis. His take is that the odds are about 70 percent that the breach was perpetrated by sniffing unencrypted traffic and 30 percent by a database compromise.

Whatever. The reality is that nobody knows. The other part of the reality is that these things keep happening. After the gargantuan TJX theft, there is absolutely no excuse (as if there was one before TJX) for companies to not implement the most intense and ironclad security measures. We live in an environment in which executives, at least theoretically, can go to jail if their companies breach certain regulatory rules. That's obviously extreme, but certainly should lead to more care than signing off on a press release.

There apparently is one difference between the way Hannaford -- and sister company Sweetbay -- and most other retailers handle their payment card data. This posting at Network Security Blog calls it a "silver lining." The companies do not associate payment cards and expiration dates with the names and addresses of the card holders. This, the writer guesses, is because the chain is ultimately owned by a company in Belgium (the Delhaize Group), and the disassociation is required under European Union laws. In any case, this makes it a bit harder on the thieves, according to this writer.

One issue is important to confront, whether or not it ultimately is proven to have anything to do with the Hannaford loss. Several articles on the breach point out that it is possible for a company to be compliant with the Payment Card Industry Data Security Standard (PCI DSS) and still have a breach, since the rules apparently only require encryption of credit card data on outside telecommunications networks. Internally, data can be sent in the clear.

The idea that the rules may be inadequate because they only protect the data a portion of the time it is in control of the retailer should be looked at carefully. The Washington Post's Brian Krebs relates a discussion he had with Bryan Sartin, the vice president of investigative response for Cybertrust. Sartin says successful attacks on PCI-compliant companies are a current trend. The bottom line is that companies are deluding themselves if they think following the letter of the law means they are safe.

It is important to think about this: Before a law is promulgated, a company must think for itself and implement what its due diligence tells it are the most effective strategies. Does this subtly change once laws hit the books? Since the firm suddenly has a minimum threshold at which to aim, does its responsibility to think for itself fade a bit? Does the company still have to truly aim at safeguarding data -- or is it only required to satisfy a set of legal requirements, which may not actually provide comprehensive security? Finally, if it meets the requirements and data is stolen nonetheless, is its legal culpability the same as if data is lost in an environment with no regulations?