By Steve Rowen, Partner
3/25/2008
Hannaford Brothers announced that it lost 4.2 million credit/debit cards in a four month-long data breach last week. As a result, the industry is looking for a place to place liability.
Yet as former retailers, we have to wonder what Bill Homa, CIO of Hannaford, is feeling this week. By all early accounts, Homa did everything he was supposed to do. And according to Hannaford spokesperson Carol Eleaza, Homa’s shop was fully PCI Compliant. Hannaford also didn’t store any customer or payment information that led to the breach, with the AP reporting that the data was stolen in transit from POS pinpad devices to banks. Does this mean the liability lies with the PCI auditors? Or does it lay with VISA for not having strict enough guidelines to its PCI DSS?
We don’t think so. Granted, it is early, and details in the Hannaford breach will continue to emerge in the coming weeks. But VISA and the card brands are essentially banks – not IT companies. For years we’ve been saying that achieving PCI Compliance is truly not an end goal, but a good place to start protecting sensitive (in this case payment) customer data.
In fact, the entire PCI DSS came about as an attempt for card brands to help retail regulate itself – before the Federal government was forced to. What this breach proves that PCI is – and never was – enough. When you think about it, PCI was in some ways a valiant effort and a great starting point, but the very notion that a bank should be telling retail ITers how to run and protect their shop from technological threats is actually quite silly. The industry needs technical leadership, but where should it come from? Certainly not a bank.
So where does the liability lay?
Paula brought up an interesting point. In the early 1990’s, every time a PC user incurred any type of intrusion/security breach, heads at Microsoft rolled. “We whined all the time whenever we had to dedicate someone to applying MSFT patches. But because we whined - we got safer and hacked less frequently.” As a result, the entire personal computer manufacturing community took it upon itself to secure the products it sold.
Why then, is Microsoft responsible for fixing its exploitable weaknesses? Why is Apple? And if they’ve assumed the responsibility of protecting their users, why haven’t in-store hardware and network manufacturers?
The task of securing data in transit is similar to all other malware: a moving target. Dollars are tight right now, and our research shows that retailers are well behind in their efforts to secure all types of customer data. The “tough love truth” remains that PCI has never been a silver bullet, and retailers need to dedicate resources to the problem of locking down data in state. Whether this be via paying encryption vendors or by dedicating resources of their own, this security is going to cost something.
|
