What Did Hannaford Know And When Did It Know It?

Written by Evan Schuman
March 19th, 2008

Shortly after reports surfaced that the Hannaford grocery chain had been PCI compliant at the time of its data breach attack, the Web has been crawling with those questioning the value of PCI, even as the confusing preliminary details of the breach are being sorted out.

As one who has frequently used this column to point out the many flaws within PCI, please allow me to stand up and say to those PCI critics: What planet are you from that tolerates only perfect security systems?

Do they conclude from one successful burglary of a house protected by a top-notch burglar alarm and high-security deadbolts that burglar alarms and deadbolts are worthless? The fact is that burglars are sometimes professional and they can get around perfectly legitimate security devices.

That all said, this incident does allow me to bring up two PCI truths. The first is that a retailer with PCI compliance certainly does not automatically morph into a secure retailer. The checklist technique to security is better than nothing—which is what far too many retailers used to approach—but it’s not ideal. It’s little more than a decent starting point.

The other issue the Hannaford breach brings up is something slightly more nuanced. Was Hannaford PCI compliant—meaning that their operations were completely in concert with the PCI requirements—at the time of the breach or merely certified compliant?

That question can be broken down two further levels. An assessment—or even a true audit such as a SAS 70 Type II probe—is only looking at a snapshot in time, specifically the point in time that the assessment is taking place. There’s nothing to guarantee that the retailer—with a software upgrade or some other change—wouldn’t make a change a day later that would make them non-compliant.

So the first level is that it’s only a snapshot. The second level is "did the assessor do a good and thorough job?" The assessment could be flawed because of—dare I say it—incompetence on the part of the assessor or because the retailer chooses to not answer certain things fully or to not be candid in what is being shown and what is being accessed.

There’s also a lot of politics and conflicts of interests involved. If the assessor company is in the middle of a huge security sale to that retailer at the time, might they be more lenient? If not, might the processor or card brand be more or less strict depending on other business considerations?

The bottom line: there are plenty of reasons to remember that a PCI compliant merchant is not necessarily perpetually in line with all of the PCI recommendations. But let’s assume a retailer is in line with all of the PCI regs. And let’s further assume that such a truly compliant retailer got breached. Does that—and should that—say anything bad about the PCI process itself?

I’d argue that it doesn’t. Certainly any process—PCI is not anywhere close to an exception—can be improved. But PCI, with all its faults, is still better than what existed before and compliant retailers are just about always much more secure than they had been. Not that they are secure, but they are merely more secure than what they used to be.

Like the food pyramid analogy that I’ve made in this column before, the goal of PCI is not to make retailers secure. It’s to make them more secure—relatively. It’s intended to inch them along to this nirvana—which they’ll never reach—where they are truly secure.

Please don’t give up on PCI because it’s proven to not be a perfect protector. Giving up "pretty good" so that you can mount an impossible search for "absolute" is exactly what every cyberthief in Eastern Europe wants you to do.


5 Comments | Read What Did Hannaford Know And When Did It Know It?

  1. Scott Says:

    FYI: PCI only requires that cardholder data be encrypted during transmission over “open, public networks”.

  2. Evan Schuman Says:

    Editor’s Note: That’s true. I believe the specific wording is: “If there is no external access to the merchant location (by Internet, wireless, virtual private network (VPN), dial-in, broadband, or publicly accessible machines such as kiosks), the POS environment may be excluded.”
    In this instance, though, it wasn’t an issue. First, Hannaford’s payment authentications were indeed riding over the Internet, according to an official with that chain that we spoke with on Thursday. That’s not a surprise, of course, as the overwhelmingly majority (most likely exceeding 95 percent) of retailers use the Internet for such transactions and therefore are supposed to use encryption.
    While looking into that, though, came upon an intriguing issue. Would PCI require that transaction authentications be encrypted if they were being sent in a VPN across that public network? One part of the PCI regs suggest that they consider a VPN a form of encryption. 2.3 says, in part, “Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access.”

  3. Scott Says:

    Auditors I have spoken to say that encrypting over the VPN meets PCI compliance. There is no requirement to encrypt during transmision on the internal/private network.

  4. Eddie Schwartz Says:

    To think that PCI compliance would have protected Hannaford is to think that having a bullet proof vest will keep you from getting shot. PCI will not deal with the kind of “designer malware” issues faced by Hannaford. PCI is designed to deal with absolute minimum baseline security controls, primarily at the network layer. If you achieve PCI compliance, you are doing security 101, nothing more. A serious adversary, such as the kind well-funded and professional “carder” gangs that hit many companies like Hannaford know PCI calls for certain network countermeasures. So, these gangs are going to design specific attacks that evade traditional perimeter security approaches. This stuff is really happening — we see it all the time with our clients in the government and financial services.

    Retailers have to take matters into their owns hands and stop focusing on PCI as the sole measure of security or due diligence, if they want to get a grip on this situation. Retailers have to up the ante on monitoring their networks for signs of designer malware activity because the carder gangs already understand PCI controls and how to circumvent them. This requires a new kind of network monitoring and attention to operational security detail. Retail networks will never be secure — with any technology. But, the key is to detect these kinds of attacks within minutes, before keystroke loggers and command and control trojans are placed on POS systems and related servers by carder gangs.

  5. Biff Matthews Says:

    PCI is an expensive farce, just as TSA is protecting us! It’s off the shelf software folks. Wake up!

    If, IF, Hannaford was PCI compliant, all that did was make the hack that much more challenging thus interesting and fun to the perpetrator(s). Whether DSW, TJX, Hannaford, Ohio University or the US Government and if the truth be told Visa and MasterCard, these entities are, like every business, constrained in their data security efforts by budgets, personnel resources, time and then legacy technology. Hackers, on the other hand have no budget, can enlist as many personnel resources as may want to join in the challenge, have as much time as is needed, use global resources plus have the latest, even bleeding edge technology. The rest of us can’t win plus are only a millimeter ahead of the criminals.

    I’m for data security however the PCI approach is really bassackwards with 99.99% of the resources focused on the wrong target.

    Apprehend and appropriately punish the perpetrators in such as manner as to be so horrendous as to put the utmost fear of the consequences in others that they forgo such a crime. Punishment hidden is no deterrent, but that’s a whole different subject.

    In order to apprehend the culprits those responsible must stop hiding behind the issue of national boundaries because these crimes are global in nature. Why? Because criminals know they can hide behind within their borders as long as they don’t commit a crime on people within that border. As with telemarketing scam in the US, they are never perpetrated within the state in which the criminals are physically located. WAKE UP!

    I won’t even get into what I think should be the punishment once we catch the bastards.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.