Grocery Chain Data Breach Extends Security Debate
- By Jabulani Leffall
- March 19, 2008
within Massachusetts grocery chain Hannaford Bros. on Monday
not only led to 1,800 known cases of fraud but is also serving as debate fodder
in the ongoing argument about data ownership and Payment
Card Industry (PCI)
Currently, Visa Inc., MasterCard and its other peers in the PCI comprise the
main governing body that's responsible for policing the consumer and business-to-business
retail transaction sector. However, mounting evidence of breaches -- such as
what happened at Hannaford Bros. -- coupled with the fact that there have been
more than 218 million records compromised since January 2005 suggest that the
current structure isn't working.
"The issue is twofold," said Christian Phillips, chief security officer
at Regulus, a transaction processing and remittance service provider. "Either
merchants have to put more money into compliance and IT security controls or
a third-party with not-so-obvious interests has to step in and set uniform IT
Phillips, who calls the control matrices he works up for IT security related
to PCI a "large pile of Jello," contends that the problem with current PCI standards
is the lack of uniformity.
"That's because I can't predict what Visa or MasterCard will ask us to change
or what appliances and software will be in compliance one moment and out the
next," he said.
Visa and MasterCard did not return calls.
Compliance with a Small 'C'?
The Hannaford case comes in the wake of the largest
breach ever at TJX Cos., the parent company of discount clothiers T.J. Maxx
and Marshalls. TJX last year reported at least 45.7 million cards were exposed,
while banks' court filings put the number at more than 100 million. But IT security
compliance in that case was shoddy at best.
Court records in a federal lawsuit over those breaches reveal that Visa knew
about the extensive security problems at TJX as far back as late 2005, but decided
to give TJX permission to remain non-compliant through Dec. 31, 2008. Visa's
leniency, critics contend, had a lot to do with the high volume of credit card
processing at TJX stores from which Visa stood to gain.
In the biggest irony imaginable, TJX and Hannaford Bros. both have their headquarters
in the same state as the Boston-based PCI Security Standards Council, the non-profit
organization that -- with the blessing of credit card companies -- sets security
standards for the industry. The group in late February published a detailed
set of "self-assessment questionnaires" for small and medium-sized retailers,
who typically aren't required to have their data security reviewed by outside
IT and financial auditors. The guidance addresses hundreds of scenarios and,
according to PCI, will go a long way toward simplifying the self-assessment
process for merchants and security consultants worried about PCI compliance.
But critics of the current informal regulatory structure have suggested that
the burden placed on merchants to retain customer data is what's making them
prime targets for hackers.
In a letter submitted to PCI late last year, National Retail Federation CIO
David Hogan pointed out that credit card companies typically require retailers
to store credit card numbers anywhere from one year to 18 months to satisfy
card company retrieval requests. He argued retailers should have a choice as
to whether they want to store credit card numbers at all.
"Instead of making the industry jump through hoops to create an impenetrable
fortress, retailers want to eliminate the incentive for hackers to break into
their systems in the first place," Hogan wrote.
Beth Givens, director of Privacy Rights Clearinghouse, a research and consumer
advocacy group based in San Diego, Calif., calls data storage "a double-edged
sword" for retailers and other merchants, and said that for consumers and banks,
long, costly investigations into breaches can cost money.
"When you look at Hannaford and what happened, it might be the straw that breaks
the camel's back," she said. "You think that perhaps state legislatures should
follow Minnesota's lead on PCI compliance laws but [it] has to be something
with some teeth so that merchants, security consultants and credit card companies
know the stakes involved."
Security Solutions in Merchants' Hands
For merchants running a Windows architecture to process data, integration and
streamlining of the data flow is key. To that end, for small merchants, Microsoft's
Point of Sale application can serve as the interface for logging sales data
while the pertinent information should probably be stored on an off-site SQL
Server-based system or farmed out to a third-party for storage and archiving,
if not periodic oversight.
"Companies are in a difficult position because right now, it's either you comply
or don't accept credit cards," said Michael Gavin, a security strategist at
Security Innovation, a consulting firm in Boston that conducts annual and quarterly
security audits for its PCI clients. "I think the key here is to eliminate the
low-hanging fruit, meaning the points of entry or vectors for fraud that are
Chris Schwartzbauer, vice president of field operations for IT security firm
Shavlik Technologies in St. Paul, Minn., agrees, saying customizable software
and manual and automated controls are needed to protect data. He added that
everyone needs to take care of their own house and remember that PCI is still
in its infancy; its rules and methodologies will take time to catch up with
"Right now, PCI is one of the greatest drivers for increased IT security for
service organizations and companies themselves," he said. "Ultimately, though,
it's the merchants' responsibility to make sure the environment is locked up
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.