Hannaford CIO: We Need To Spend Millions, Go Well Beyond PCI
Written by Evan SchumanHannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his grocery chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars "but not tens of millions."
Homa called a news conference to detail some of those planned security improvements, including Triple DES PIN encryption ("customer card information is now encrypted from the PINpad at the store register and remains encrypted while it’s in our own internal network"), host and network intrusion prevention systems ("to proactively prevent malware from being installed in our systems") and better payment segmentation.
He also—inexplicably—used the news conference to announce that Hannaford was "the first retailer in Maine" to have a Cisco Certified Internetwork Expert (CCIE) on the payroll. Wonder if they’ll call another news conference if that employee leaves?
The intrusion tracking system is something Hannaford has turned over to IBM, and Homa detailed what his concerns were. "One of the learnings of the breach is that we don’t have enough eyes and hands to watch all the false positive intrusions that happen in a vast network. You have millions and millions of people pinging your IP address," he said. "So we decided to turn that over to IBM and (have them) report back to us when we have something to investigate."
Beyond IBM, Homa said vendors that his team is working with on the security upgrades include General Dynamics, Cisco and Microsoft. He also confirmed that their PCI assessor is Verizon Business Services (formerly Cybertrust), which was also the initial assessor of TJX.
The encryption upgrades at POS will take another two to three months to complete, Homa said. "In many cases, we’re replacing equipment that is perfectly good except that it’s been obsoleted by the requirement for additional security," he said.
The host intrusion prevention system (HIPS) has not yet been awarded ("we’re in the middle of picking a software vendor") so "it will probably be the end of the year before we have that fully implemented in all of our stores."
They are also implementing ISO 27001 processing that Homa estimated would take "a year to 18 months before it’s fully implemented."
He wouldn’t specify the estimated cost beyond the millions but "not tens of millions" comment, other than to say that HIPS could cost "as much as $5,000 per store, so it starts to add up."
Other new details that cropped up during the call or shortly before:
Even though many E-commerce sites ask for the CVV, they are really asking for the CVV-2 if it’s a Visa card, the CID for American Express and the CVC2 for MasterCard. No matter. The magic number that E-tailers ask for—no matter what it’s called—wasn’t taken, Eleazer said this week.
-Marc
April 25th, 2008 at 6:57 am
Excellent article. More details than I’ve seen anywhere else on Hannaford.
April 25th, 2008 at 7:54 am
Talk about jumping off the deep end. While I applaud Mr. Homa’s reaction to what is, clearly, a major security breach, I don’t see why he is installing “military” grade security. His answer is to simply “remove” the sensitive payment card data from his system. If you eliminate the data, you eliminate the risk. Replace the data with something that still offers his stores with valuable information, but is not “actual” card data. There are a couple companies out there that offer data replacement technology. My guess is that they are significantly less expensive and more secure than the thickest walls Mr. Homa can build around his data. If I were on Mr. Homa’s Board of Directors, I would be upset to learn that there was a better solution available – for far less money.
April 25th, 2008 at 9:53 am
Very informative article. One item that stood out was that Hannaford is “replacing equipment that is perfectly good†because they lack the security requirements.
This is a problem faced by many retailers. They believe, or have been led to believe, that they need to replace existing equipment with very expensive new equipment to gain security requirements. Not only is this not true but it comes with a high price tag and also requires retraining staff and managing compatibility issues, as well as other issues.
It is possible to keep perfectly good equipment in place and add security software for a fraction of the cost.
Hopefully, retailers will begin to realize this and not feel they are required to replace existing, perfectly good equipment.
August 7th, 2008 at 9:45 pm
This is a classic example of a client in denial, someone refusing to look and consider the facts. They were just simply trying to get by with the minimum effort.
Too bad for their employees, the pig-headedness of the IT management will continue to cost them millions upon millions.
Shame on this company.