What Did Hannaford Know And When Did It Know It?
Written by Evan SchumanShortly after reports surfaced that the Hannaford grocery chain had been PCI compliant at the time of its data breach attack, the Web has been crawling with those questioning the value of PCI, even as the confusing preliminary details of the breach are being sorted out.
As one who has frequently used this column to point out the many flaws within PCI, please allow me to stand up and say to those PCI critics: What planet are you from that tolerates only perfect security systems?
Do they conclude from one successful burglary of a house protected by a top-notch burglar alarm and high-security deadbolts that burglar alarms and deadbolts are worthless? The fact is that burglars are sometimes professional and they can get around perfectly legitimate security devices.
That all said, this incident does allow me to bring up two PCI truths. The first is that a retailer with PCI compliance certainly does not automatically morph into a secure retailer. The checklist technique to security is better than nothing—which is what far too many retailers used to approach—but it’s not ideal. It’s little more than a decent starting point.
The other issue the Hannaford breach brings up is something slightly more nuanced. Was Hannaford PCI compliant—meaning that their operations were completely in concert with the PCI requirements—at the time of the breach or merely certified compliant?
That question can be broken down two further levels. An assessment—or even a true audit such as a SAS 70 Type II probe—is only looking at a snapshot in time, specifically the point in time that the assessment is taking place. There’s nothing to guarantee that the retailer—with a software upgrade or some other change—wouldn’t make a change a day later that would make them non-compliant.
So the first level is that it’s only a snapshot. The second level is "did the assessor do a good and thorough job?" The assessment could be flawed because of—dare I say it—incompetence on the part of the assessor or because the retailer chooses to not answer certain things fully or to not be candid in what is being shown and what is being accessed.
There’s also a lot of politics and conflicts of interests involved. If the assessor company is in the middle of a huge security sale to that retailer at the time, might they be more lenient? If not, might the processor or card brand be more or less strict depending on other business considerations?
The bottom line: there are plenty of reasons to remember that a PCI compliant merchant is not necessarily perpetually in line with all of the PCI recommendations. But let’s assume a retailer is in line with all of the PCI regs. And let’s further assume that such a truly compliant retailer got breached. Does that—and should that—say anything bad about the PCI process itself?
I’d argue that it doesn’t. Certainly any process—PCI is not anywhere close to an exception—can be improved. But PCI, with all its faults, is still better than what existed before and compliant retailers are just about always much more secure than they had been. Not that they are secure, but they are merely more secure than what they used to be.
Like the food pyramid analogy that I’ve made in this column before, the goal of PCI is not to make retailers secure. It’s to make them more secure—relatively. It’s intended to inch them along to this nirvana—which they’ll never reach—where they are truly secure.
Please don’t give up on PCI because it’s proven to not be a perfect protector. Giving up "pretty good" so that you can mount an impossible search for "absolute" is exactly what every cyberthief in Eastern Europe wants you to do.
-Marc
March 20th, 2008 at 10:29 am
FYI: PCI only requires that cardholder data be encrypted during transmission over “open, public networks”.
March 21st, 2008 at 3:25 am
Editor’s Note: That’s true. I believe the specific wording is: “If there is no external access to the merchant location (by Internet, wireless, virtual private network (VPN), dial-in, broadband, or publicly accessible machines such as kiosks), the POS environment may be excluded.”
In this instance, though, it wasn’t an issue. First, Hannaford’s payment authentications were indeed riding over the Internet, according to an official with that chain that we spoke with on Thursday. That’s not a surprise, of course, as the overwhelmingly majority (most likely exceeding 95 percent) of retailers use the Internet for such transactions and therefore are supposed to use encryption.
While looking into that, though, came upon an intriguing issue. Would PCI require that transaction authentications be encrypted if they were being sent in a VPN across that public network? One part of the PCI regs suggest that they consider a VPN a form of encryption. 2.3 says, in part, “Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access.”
March 21st, 2008 at 7:13 am
Auditors I have spoken to say that encrypting over the VPN meets PCI compliance. There is no requirement to encrypt during transmision on the internal/private network.
March 21st, 2008 at 4:28 pm
To think that PCI compliance would have protected Hannaford is to think that having a bullet proof vest will keep you from getting shot. PCI will not deal with the kind of “designer malware” issues faced by Hannaford. PCI is designed to deal with absolute minimum baseline security controls, primarily at the network layer. If you achieve PCI compliance, you are doing security 101, nothing more. A serious adversary, such as the kind well-funded and professional “carder” gangs that hit many companies like Hannaford know PCI calls for certain network countermeasures. So, these gangs are going to design specific attacks that evade traditional perimeter security approaches. This stuff is really happening — we see it all the time with our clients in the government and financial services.
Retailers have to take matters into their owns hands and stop focusing on PCI as the sole measure of security or due diligence, if they want to get a grip on this situation. Retailers have to up the ante on monitoring their networks for signs of designer malware activity because the carder gangs already understand PCI controls and how to circumvent them. This requires a new kind of network monitoring and attention to operational security detail. Retail networks will never be secure — with any technology. But, the key is to detect these kinds of attacks within minutes, before keystroke loggers and command and control trojans are placed on POS systems and related servers by carder gangs.
March 25th, 2008 at 5:45 pm
PCI is an expensive farce, just as TSA is protecting us! It’s off the shelf software folks. Wake up!
If, IF, Hannaford was PCI compliant, all that did was make the hack that much more challenging thus interesting and fun to the perpetrator(s). Whether DSW, TJX, Hannaford, Ohio University or the US Government and if the truth be told Visa and MasterCard, these entities are, like every business, constrained in their data security efforts by budgets, personnel resources, time and then legacy technology. Hackers, on the other hand have no budget, can enlist as many personnel resources as may want to join in the challenge, have as much time as is needed, use global resources plus have the latest, even bleeding edge technology. The rest of us can’t win plus are only a millimeter ahead of the criminals.
I’m for data security however the PCI approach is really bassackwards with 99.99% of the resources focused on the wrong target.
Apprehend and appropriately punish the perpetrators in such as manner as to be so horrendous as to put the utmost fear of the consequences in others that they forgo such a crime. Punishment hidden is no deterrent, but that’s a whole different subject.
In order to apprehend the culprits those responsible must stop hiding behind the issue of national boundaries because these crimes are global in nature. Why? Because criminals know they can hide behind within their borders as long as they don’t commit a crime on people within that border. As with telemarketing scam in the US, they are never perpetrated within the state in which the criminals are physically located. WAKE UP!
I won’t even get into what I think should be the punishment once we catch the bastards.