Hannaford Breach & PCI Compliance
Posted by Prat Moghe on Wed, Mar 19, 2008
By now, everyone has heard about the Hannaford breach. As always, there is confusion of facts and the effect on consumers as well as retailers, banks, and service providers. I am going to do a series of posts around this breach since it has special implications for several reasons:
1. Hannaford was the first big retailer to have a breach in spite of (allegedly) being PCI Compliant.
2. Hannaford apparently did not store any customer names, yet the data theft resulted in fraud
3. Since many of the chain's customers use debit cards to purchase groceries, this breach could have more painful fallout for consumers than the TJX breach (which was focused on credit cards).
Today, I will explore the first theme - the breach and PCI Compliance.
Background:
According to Digital Transactions (March 17). 4.2 million credit and debit card numbers were exposed in a breach that happened between Dec. 7 and March 10. As a result, 1,800 cases of fraud are believed linked to the breach.
Hannaford's president and chief executive, Ronald C. Hodge, indicated that the hacker or hackers obtained card numbers and expiration dates during the authorization process, implying possible illicit access as data moved between point of sale terminals, electronic cash registers, or servers.
Apparently, Hannaford vice president of marketing Carol Eleazer told Digital Transactions News, "We were certified [as PCI-compliant] last spring and we were re-certified in February". Hannaford's PCI assessor is not known at this point. Eleazer did not have further details on Tuesday about exactly how the fraud happened, saying it is under investigation by the U.S. Secret Service and experts inside and outside the company. But she does say that Hannaford had been using data encryption all of last year. In fact, she adds, "in 2007 we had just recently upgraded our wireless encryption."
Breach & PCI Compliance:
The question is if Hannaford was indeed PCI compliant, why did the breach happen? Does it mean that PCI compliance is worthless? I have seen some talk about this in the blogosphere. See Rich Mogull's incisive comments at securosis. I maintain that the reality is actually exactly the opposite.
Many people think of PCI Compliance as "fool proofing" their environment against breaches. It is not. PCI Compliance is actually the lowest common denominator of security - it is a practical program of basic security that any environment that handles large number of customer and credit/debit cards should have in place. Unfortunately, most environments are so broken that they view this program as a "white elephant" they cannot afford to take seriously. It is natural in that case that the few who do take PCI seriously, expect it to work wonders and keep data safe. The reality is that PCI Compliance gives them the foundation of security that allows them to "know" where they are. Without PCI Compliance, they would be completely lost.
Think about it - PCI Compliance should not be a big deal. For the core infrastructure, it asks for a firewall, basic segmentation of the network, IDS (monitoring the network), a quarterly scan for vulnerability, strong passwords on key servers, and monitoring cardholder systems. For any data being handled it recommends storing only need-to data and using encryption or masking. This is not extreme security; this is basic common-sense security.
But why doesn't PCI compliance ensure against breaches? Simple - breaches can happen as long as there is a single weak point that can be compromised in a long complicated chain of data flow. It is not a question of if. It is a question of when and how much effort is applied. In response, the level of security has to rise -- though this usually happens slowly. As an analogy, think of terrorist attacks. In spite of huge spending, there is no way to guarantee an attack from happening. This does not minimize the value of basic airline security checks.
Why not make PCI about extreme security? Some have argued for new security controls to be added to PCI requirements - see Eric Ogren's PCI post as early as April of last year in Dark Reading. For a longer discussion on this check out my old post Why data security cannot stop data theft.