Hannaford Bros. PCI Compliance Claim Spurs Questions

The major data breach affecting Hannaford Brothers grocery chain isn’t record-setting in terms of the volume of records exposed—the 4.2 million records breached is dwarfed by the 94 million records exposed during the TJX breach. But the Hannaford breach is groundbreaking in its own way, because this massive security incident is the first publicly-reported exposure to hit a retailer that claims to have been certified as compliant with the Payment Card Industry Data Security Standards (PCI).

This retail industry standard for security sets a minimum level of governance and security practices to safeguard credit card data handled by any organization that accepts credit card payments. In a recent study conducted by Solidcore Systems and Emagined Security, 94 percent of organizations surveyed said they were not confident they wouldn’t suffer a breach after passing their PCI assessment.

  Details are still forthcoming, but Hannaford representatives told the press last week that it was compliant with PCI at the time of the attack.

“I don’t know if it is true or not, but if what they’ve said to the press is true, this is the first public case of retailers saying they were compliant exactly at the time of the breach,” said Avivah Litan, analyst for Gartner.

As the Hannaford Bros. breach illustrates ever so clearly, PCI compliance doesn’t make organizations invulnerable to risks and attacks.

“We have to continue to remind ourselves that anybody can be owned by attackers at any time because the world and the attack surface is so dynamic,” said Mike Rothman, principal analyst with Security Incite and a noted expert on PCI compliance. “Even if you’re compliant today, when the auditor or the examiner or assessor show up and put you through your paces, as soon as you hire a new employee or you fire an employee, when you add a new application, you take an application down, or when you add a new customer; any of these things puts the whole environment back into dynamic turmoil.”

As of yet, details about the Hannaford breach are still forthcoming so it is hard to know whether a breach in the face of PCI compliance was a result of that “dynamic turmoil” that Rothman refers to, due to lenient auditing by its PCI assessor or whether it was a problem with the standard itself.

*Baseline editor-in-chief Lawrence Walsh writes Hannaford Bros. breach proves, yet again, that there’s no such thing as “unbreakable” security.

No matter what the reason for the breach, this unprecedented security event is already sparking debate about the liabilities faced by a PCI compliant organization suffering a breach and about the efficacy of the standard and its auditors.