Hannaford Bros. PCI Compliance Claim Spurs Questions

By Ericka Chickowski  |  Posted 2008-03-28

The major data breach affecting Hannaford Brothers grocery chain isn’t record-setting in terms of the volume of records exposed—the 4.2 million records breached is dwarfed by the 94 million records exposed during the TJX breach. But the Hannaford breach is groundbreaking in its own way, because this massive security incident is the first publicly-reported exposure to hit a retailer that claims to have been certified as compliant with the Payment Card Industry Data Security Standards (PCI).

This retail industry standard for security sets a minimum level of governance and security practices to safeguard credit card data handled by any organization that accepts credit card payments. In a recent study conducted by Solidcore Systems and Emagined Security, 94 percent of organizations surveyed said they were not confident they wouldn’t suffer a breach after passing their PCI assessment.

  Details are still forthcoming, but Hannaford representatives told the press last week that it was compliant with PCI at the time of the attack.

“I don't know if it is true or not, but if what they've said to the press is true, this is the first public case of retailers saying they were compliant exactly at the time of the breach,” said Avivah Litan, analyst for Gartner.

As the Hannaford Bros. breach illustrates ever so clearly, PCI compliance doesn’t make organizations invulnerable to risks and attacks.

“We have to continue to remind ourselves that anybody can be owned by attackers at any time because the world and the attack surface is so dynamic,” said Mike Rothman, principal analyst with Security Incite and a noted expert on PCI compliance. “Even if you're compliant today, when the auditor or the examiner or assessor show up and put you through your paces, as soon as you hire a new employee or you fire an employee, when you add a new application, you take an application down, or when you add a new customer; any of these things puts the whole environment back into dynamic turmoil."

As of yet, details about the Hannaford breach are still forthcoming so it is hard to know whether a breach in the face of PCI compliance was a result of that “dynamic turmoil” that Rothman refers to, due to lenient auditing by its PCI assessor or whether it was a problem with the standard itself.

*Baseline editor-in-chief Lawrence Walsh writes Hannaford Bros. breach proves, yet again, that there's no such thing as "unbreakable" security.

No matter what the reason for the breach, this unprecedented security event is already sparking debate about the liabilities faced by a PCI compliant organization suffering a breach and about the efficacy of the standard and its auditors.

Liability Issues
Analysts such as Litan, Rothman and Diana Kelley of Security Curve are watching closely as the Hannaford drama unfolds, as it is the first big test of the legal liability for data breaches affecting PCI compliant merchants. Both Litan and Kelley agree that compliance is hardly a shield against becoming the recipient of a lawsuit, as has been quickly demonstrated by a pair of class-action suits against the chain. The question is whether the courts will give Hannaford credit for due diligence simply due to its state of compliance at the time of the breach.

“The bottom line is that PCI compliance does not give you any indemnification or protection; there's nothing in the process that says 'now you're safe.’ But that's never been something that stores expected,” Kelley said. “I think where its going to be interesting is to see how the lawsuits go, because  a smart lawyer can now say, ‘Look, my client was compliant with the industry standard best practice.’ So that might impact their liability a little."

*Standards for PCI compliance have shifted recently. Here's how to keep up with PCI . 

Therein lies the problem with the mindless pursuit of compliance that some with the “check box compliance” crowd still chases, says Fred Pinkett, vice president of product management at Core Security Technologies, a penetration testing firm and a PCI Qualified Security Assessor (QSA).

“At the end of the day, the fact that you were compliant but you did it in an irresponsible way doesn't stop you from being sued,” Pinkett said. “As far as I know, there is no legal precedent for saying I’ve got a stamp from these third parties so that means my responsibility is fulfilled. I don’t think anyone has tested what reasonable security is or what reasonable best practices are for protecting credit card data in a consumer responsibility and a legal sense."

Litan agrees that Hannaford’s state of compliance won’t protect them from being slapped with lawsuits, but it should keep them from being held accountable for the cost of fraud incurred due to the breach.

“There's no safe harbor for lawsuits,” Litan said, “but in terms of the card companies’ rules, what I've been told is that if you're in compliance at the time of the breach, then you're not liable for the fraud costs."

These costs are typically incurred by a number of banks across the country who must reissue cards to customers affected by the breach. These banks then bring their complaint to the various card brands, such as Visa and MasterCard, which reimburse them with the expectation that they’ll recoup the losses from the breached merchant’s bank. Called the ‘acquiring bank,’ this bank has the right to recoup its own losses by taking that money from the breached merchant’s account if the merchant isn’t PCI compliant. But under PCI rules, the acquiring bank is left holding the bag if the merchant was certified by QSA as PCI compliant.

*What if TJX had been compliant with PCI standards? Read Baseline's in-depth look at the TJX data breach: Your Data: Love It or Lose It.

“The buck does stop with the acquiring bank,” Litan said. “I think the biggest change (this could spark) is that acquiring banks are going to take this more seriously instead of just delegating it to assessors and just kind of accepting what ever the assessors say.”

Scrutinizing Assessors
Most security experts will tell you that there is no such thing as a perfect security playbook. The dynamic nature of IT security calls for different 'plays' that suit each team - which is why most security standards must contain some level of vagueness for customization. Though it is widely regarded as the most thorough and specific of all security standards, the PCI rule set is still open to interpretation. And the folks who must shoulder that responsibility of interpreting are the assessors performing audits prior to rubberstamping organizations as “PCI Compliant.”

There are currently more than 120 QSAs authorized by the PCI Security Council to conduct PCI compliance audits and each has their own interpretation of PCI.

“It comes down to interpretation,” said Chris Konrad, senior vice president at Fortrex Technologies, a QSA. “You know, there's still room for interpretation with the audits and since each of these assessors may interpret the standards or requirements differently it’s possible that they're not doing the due diligence they need to do."

For example, Pinkett of Core Security says that when it comes to penetration testing, all PCI mandates is that some form of penetration testing is executed. But it doesn’t delineate what ‘penetration testing’ really means for the purpose of certification.

“So that could mean somebody looked at one system to see if there were vulnerabilities or that could mean that a team of one hundred tried to break in with every possible tool in the world,” Pinkett said. “So it comes down to at the end of the day, the responsibility of the company getting the assessment, the responsibility of the assessor to be well-educated and perform at the best-practices level."

*Baseline editor-in-chief Lawrence Walsh writes

Hannaford has chosen to stay mum on which company performed its PCI compliance assessment and it will be a long time before it becomes clear whether this assessor did its job poorly. But some security experts believe that as legal wrangling over the breach heating up, and Hannaford may very well publicly roll over on its assessor if it really was compliant during the breach.

“My guess is that the assessor here is probably very nervous,” Litan said.

The situation could turn into an ugly bout of finger pointing, Kelley agreed.

More importantly, though, this case of a compliant company suffering a breach may spark discussion about the governance of the PCI Qualified Security Assessors program.

“I think this issue is going to flare up, because the assessors do have different interpretations of the standard. Nobody will step in and actually say 'This is the bottom line' because the council is in charge of the standard but not compliance,” Kelley said. “So this could be a sort of a flash point for focus on the assessors and how the council's managing them, because there have been complaints about quality of assessors and some assessors trying to sell products as part of the compliance process."

As the system currently stands, merchants choose which assessors they work with and some are definitely more stingy than others with PCI certifications. Many organizations realize this and some may go about choosing an assessor like the lazy college kid chooses a professor, pick the prof that gives the highest grades, Pinkett says.

The difficulty, Rothman says, is that there is no way to completely eliminate the human element of assessment. “It all gets back to the opinion of the assessor, and there is no way to institutionalize that,” he said. “I mean you can certainly try to push for standards, you can make everything into a sort of cookbook but at the end of the day you're still going to need a person that’s assessing and providing their opinion on what another set of people are doing."

Looking At The Standard
The Hannaford incident has also spurred questions about the PCI standards themselves, but most security experts agree that beyond a few tweaks the standard is actually pretty decent.

It is a matter of getting organizations to comply in good faith rather than simply chasing compliance for the sake of the certification.

“There's still the loophole around compensating controls which you can drive a truck through and things aren't specified that well, but PCI is better than some of the other standards that are out there,” said Pinkett. “Like any system, if you want to be responsible you can make really good use of it and it helps you have a checklist and helps you communicate to management the importance of the budget that needs to be applied to security programs. Or if you want to game the system, you can game the system so that you can get a checkmark and do as little as possible for that."

Public relations representatives for the PCI Security Council stated that it is currently waiting for details about the Hannaford breach before commenting on how it will affect the council’s vision of the standard.

Litan of Gartner believes it might stimulate some changes, but that an overhaul isn’t necessary.

“I think that the standard is adequate,” Litan said. “I think that what should happen is that maybe the PCI Security Council will refine section 11 of the standard, which talks about regularly testing the security systems and processes, to be more specific, give more guidance and train the assessors on what to look for because right now it is a little general. But you don’t want them to give too much prescription.”