Millions of shoppers were affected when a security data breach at Hannaford Bros. exposed the payment card data of more than 4.2 million credit card holders and led to 1,800 cases of fraud. This news, which made headlines last week, is particularly alarming to the retail industry because Hannaford was in full Payment Card Industry (PCI) compliance at the time of the breach. According to Dave Hogan, senior vice president and CIO of the National Retail Federation (NRF), it may be that the PCI mandate will never be an affective deterrent to professional hackers.
The East coast supermarket chain announced that systems at all 165 of its stores were broken into and payment card data was stolen. The breach affected customers of New England and New York stores, as well as Sweetbay stores in Florida. Transactions conducted at some of the independently owned retail stores that carry Hannaford products also were impacted. Both Hannford and Sweetbay are part of Belgium-based Delhaize Corp., an international supermarket giant.
The data breach unfolded when Hannaford posted an advisory from President and CEO Ronald Hodge on its Web site. Hodge's communication said that the intrusions had been contained following the retailer's February 27 discovery that "suspicious credit card activity" had occurred. Credit and debit card numbers, along with expiration dates, were stolen from Hannaford's systems during the transmission of data for transaction authorization purposes. However, no names, addresses or other identifying information were taken.
Now that we know that Hannaford is PCI Compliant and is still the victim of data breach, is it possible that PCI compliance is not an answer to security?
According to Dave Hogan, the retail industry takes data security very seriously. Over the past few years, it has invested more than $1 billion dollars in security and compliance related programs.
"PCI, which has been in existence in one form or another for several years was supposed to prevent such crimes," says the NRF executive. "PCI is a valiant attempt to prevent large stockpiles of credit card data from getting into the wrong hands. However, it is unlikely PCI will ever be able to keep pace with the continually evolving sophistication of the professional hacker. Nor will it be able to anticipate every possible variation of future attacks. We believe the time has come to rethink the assumptions behind PCI."
Do credit card companies need to shoulder some of the responsibility behind storing and safeguarding credit card data?
"The credit card companies have been brilliant about shifting the burden and the associated risk of credit cards onto the merchant. It is their system. They created it and mandated how it should operate. The card associations should be promoting more secure forms of payment like Chip & Pin. This type of technology has been used in Europe and has significantly reduced credit card fraud. They should also provide (at no cost to the merchant) card readers that can accept these new types of cards."
Should credit card companies stop forcing retailers to store data for years on end?
"Visa and MasterCard may indicate that they do not directly force retailers to store credit card data. But indirectly, they do store it through the retrieval request process that is in place. Rather than requiring that merchants keep reams of data (currently required under card company rules as a means of managing charge backs and other internal processes) credit card companies and their banks should provide merchants with the option of keeping nothing more than the authorization code provided at time of sale and a truncated receipt. I would like them to go on record and state that 'Retailers have the option to no longer store credit card data and they will not be penalized for not keeping credit card data.'"
But this is not how the retail and credit card industries stand today. Delhaize, Hannaford's parent company, is among the industry's more cutting edge supermarket operators when it comes to adopting and utilizing technologies. And Hannaford was PCI compliant at the time of the data breach. The bottom line is that this retailer did all it could to protect its customers. "If a merchant has been certified as being PCI compliant, they should not be liable for any fines or related unauthorized charges," said Hogan.