Skip navigation

Extending PCI's Reach

LAST MONTH, T&T SUPERMARKET, Vancouver, British Columbia, alerted customers to an illegal attack on its website resulting in the exposure of 58,000 customer names, addresses, email addresses, phone numbers and passwords, as well as information submitted by job applicants. T&T is a division of Toronto-based Loblaw Cos., and operates 20 Asian supermarkets. In April, servers at Epsilon Interactive, a

LAST MONTH, T&T SUPERMARKET, Vancouver, British Columbia, alerted customers to an illegal attack on its website resulting in the exposure of 58,000 customer names, addresses, email addresses, phone numbers and passwords, as well as information submitted by job applicants. T&T is a division of Toronto-based Loblaw Cos., and operates 20 Asian supermarkets.

In April, servers at Epsilon Interactive, a database services firm storing the names and email addresses of loyalty shoppers at Kroger, Target, Walgreen and many other retailers, were compromised. Those retailers subsequently alerted shoppers that their email addresses may have been appropriated.

The upshot of these breaches has been a call by industry observers for retailers to apply the PCI (Payment Card Industry) data security standard, which is applied only to credit and debit card data, to all consumer information.

“The risk here is that the [email addresses] will be used for phishing attacks,” said Walt Conway, manager, 403 Labs, San Francisco, a qualified security assessor (QSA) and forensics investigator. “So it's a general security issue.”

The PCI standard, Conway added, “should be used to protect all of your sensitive data — Social Security numbers, loyalty card numbers, email addresses, mother's maiden names, etc.,” he said. But he wouldn't want the PCI Security Standards Council to make securing that data a requirement for retailers. “That's not going to happen anyway; the card brands don't care about [non-card data].”

Scott Laliberte, managing director for Protiviti, a consulting and auditing firm based in Menlo Park, Calif., noted that retailers need to be concerned about protecting email addresses because of state and federal laws addressing consumer privacy. “If you say in your privacy policy that you are going to protect all sensitive data and you don't, the [Federal Trade Commission] may go after you,” he said.