Friday, March 21, 2008

Hannaford Supermarket Breach Calls PCI Compliance Into Question

Andrew Conry-Murray writes on InformationWeek:

The latest exposure of millions of credit and debit card numbers by Hannaford Bros., a grocery chain with 271 locations in New England and Florida, raises new questions about the value of the credit card industry's controversial security rules, known as PCI. The Payment Card Industry Data Security Standard was put in place by major card brands, including Visa and MasterCard, to ensure that retailers take sufficient steps to protect customers' financial data. More than 3,600 U.S. retailers comply with--or are working to come into compliance with--the PCI program.

But retailers and security vendors know that PCI compliance is a slippery concept in terms of determining who is, and is not, up to par. And the Hannaford breach--in which 4.2 million credit and debit card numbers were exposed even as the company's Web site states that it "has been certified as compliant" with PCI--demonstrates to the rest of the world just how fluid this concept really is.

Bottom line, PCI compliance is mutable. While a compliance certification is valid for one year, a retailer may perform actions, or fail to perform actions, that take it out of compliance. On the one hand, this is sensible. PCI rules are like the dietary guidelines a doctor issues to a patient. It's not the physician's fault if someone with through-the-roof cholesterol ignores advice and eats like Homer Simpson.

More here.

1 Comments:

At Wed Apr 30, 09:06:00 AM PDT, Anonymous Anonymous said...

Actually, I compliance certificate is only good for 3 months as the PCI Security Standards Council require quarterly compliance.

 

Post a Comment

<< Home