In-Depth

Grocery Chain’s Data Breach Extends Security Debate

Over 1,800 known cases of fraud result from data breach

• 03/25/2008

by Jabulani Leffall

Currently, Visa Inc., MasterCard, and its other peers in the PCI comprise the main governing body that's responsible for policing the consumer and business-to-business retail transaction sector. However, mounting evidence of breaches -- such as what happened at Hannaford Bros. -- coupled with the fact that there have been more than 218 million records compromised since January 2005 suggest that the current structure isn't working.

"The issue is twofold," said Christian Phillips, chief security officer at Regulus, a transaction processing and remittance service provider. "Either merchants have to put more money into compliance and IT security controls or a third-party with not-so-obvious interests has to step in and set uniform IT security standards."

Phillips, who calls the control matrices he works up for IT security related to PCI a "large pile of Jello," contends that the problem with current PCI standards is the lack of uniformity.

"That's because I can't predict what Visa or MasterCard will ask us to change or what appliances and software will be in compliance one moment and out the next," he said.

Visa and MasterCard did not return calls for comment.

Compliance with a Small C?

The Hannaford case comes in the wake of the largest breach ever at TJX Cos., the parent company of discount clothiers T.J. Maxx and Marshalls. TJX last year reported at least 45.7 million cards were exposed, while banks' court filings put the number at more than 100 million. But IT security compliance in that case was shoddy at best.

Court records in a federal lawsuit over those breaches reveal that Visa knew about the extensive security problems at TJX as far back as late 2005, but decided to give TJX permission to remain non-compliant through Dec. 31, 2008. Visa's leniency, critics contend, had a lot to do with the high volume of credit card processing at TJX stores from which Visa stood to gain.

In the biggest irony imaginable, TJX and Hannaford Bros. both have their headquarters in the same state as the Boston-based PCI Security Standards Council, the non-profit organization that -- with the blessing of credit card companies -- sets security standards for the industry. The group in late February published a detailed set of "self-assessment questionnaires" for small and medium-sized retailers, who typically aren't required to have their data security reviewed by outside IT and financial auditors. The guidance addresses hundreds of scenarios and, according to PCI, will go a long way toward simplifying the self-assessment process for merchants and security consultants worried about PCI compliance.

Critics of the current informal regulatory structure have suggested that the burden placed on merchants to retain customer data is what's making them prime targets for hackers.

In a letter submitted to PCI late last year, National Retail Federation CIO David Hogan pointed out that credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months to satisfy card company retrieval requests. He argued retailers should have a choice as to whether they want to store credit card numbers at all.

"Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place," Hogan wrote.

Beth Givens, director of Privacy Rights Clearinghouse, a research and consumer advocacy group based in San Diego, Calif., calls data storage "a double-edged sword" for retailers and other merchants, and said that for consumers and banks, long, costly investigations into breaches can cost money.

"When you look at Hannaford and what happened, it might be the straw that breaks the camel's back," she said. "You think that perhaps state legislatures should follow Minnesota's lead on PCI compliance laws, but [it] has to be something with some teeth so that merchants, security consultants, and credit card companies know the stakes involved."

Security Solutions in Merchants' Hands

For merchants running a Windows architecture to process data, integration and streamlining of the data flow is key. To that end, for small merchants, Microsoft's Point of Sale application can serve as the interface for logging sales data while the pertinent information should probably be stored on an off-site SQL Server-based system or farmed out to a third-party for storage and archiving, if not periodic oversight.

"Companies are in a difficult position because right now it's either you comply or don't accept credit cards," said Michael Gavin, a security strategist at Security Innovation, a consulting firm in Boston that conducts annual and quarterly security audits for its PCI clients. "I think the key here is to eliminate the low-hanging fruit, meaning the points of entry or vectors for fraud that are just obvious."

Chris Schwartzbauer, vice president of field operations for IT security firm Shavlik Technologies in St. Paul, Minn., agrees, saying customizable software and manual and automated controls are needed to protect data. He added that everyone needs to take care of their own house and remember that PCI is still in its infancy; its rules and methodologies will take time to catch up with technology.

"Right now, PCI is one of the greatest drivers for increased IT security for service organizations and companies themselves," he said. "Ultimately, though, it's the merchants' responsibility to make sure the environment is locked up tight."

Jabulani Leffall is a business consultant and journalist whose work has appeared in the Financial Times of London and Investor's Business Daily. He has consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.