Skip navigation
Card Security Standard Forgot Hannaford Breach

Card Security Standard Forgot Hannaford Breach

Even in the current economic downturn, retailers need to remain vigilant about certain technical issues, particularly consumer data security.

In the past few months, the credit card industry, through its PCI (Payment Card Industry) Security Standards Council, has taken some steps to help retailers improve the security of their card data. As reported in last week's issue, the council launched a quality assurance program in November to bring greater predictability to the audits that retailers undergo to prove that they are complying with the PCI Data Security Standard. In addition, on Oct. 1 the council unveiled the latest incarnation of the PCI standard, version 1.2, based on two years of feedback from the industry.

But many observers were struck by what the council left out of its new Data Security Standard. The council was certainly aware of the enormous data breach that hit Hannaford Bros., Scarborough, Maine, a year ago, when 4.2 million credit and debit cards were exposed at the chain's checkout lanes. It also undoubtedly read reports explaining that the thieves captured unencrypted card data while it was “in transit” — moving from the card-swipe/PIN terminal at the POS across Hannaford's private network to its centralized payment switch.

Yet version 1.2 of the PCI standard did nothing to tighten its rules regarding encryption of card data in transit. Currently, the standard requires only data in transit over public networks such as the Internet to be encrypted; it does not require encryption of data traveling over private networks like the ones used by Hannaford and most other retailers.

Of course, in the aftermath of its breach, Hannaford has invested in technology to provide end-to-end encryption of card information in the chain's private network, exceeding what is required by the PCI standard.

Why would the PCI standard allow this glaring omission in regard to encryption of data in transit? The council did not respond to my recent attempts to ask this question. But it's clear that an upgrade in encryption protocols would require a costly investment in technology and business-process changes. For the time being, the council does not want to impose these costs, especially in hard economic times.

In the card-processing game, though, there are really two players: retailers that send the data, and payment processors/banks that receive it. If retailers encrypt their data, processors need to be able to decrypt it. The question is, should retailers be responsible for both encryption and decryption? Shouldn't the processors/banks bear responsibility for some of this?

The final word may come from the government. In October, Nevada became the first U.S. state to enact a law that requires encryption for all external transfers of a customer's personal information. It apparently impacts processors as well as retailers. According to Gartner, Stamford, Conn., other states (and possibly the federal government) will follow Nevada's lead.

Perhaps then the cost of in-transit data encryption will be shared more equitably.