The mysterious credit and debit card security breach revealed at Hannaford Bros. last month raises questions about the effectiveness of standards to protect the public against fraudulent practices, whether it be breaching data or securing the food supply chain.
Standards have been developed in all industry sectors as rules and guidelines that help ensure the quality, safety and reliability of traded goods and services. Companies that adhere to today's best practices standards not only facilitate trade, but also secure the public's trust in their compliance with these practices.
The Payment Card Industry Data Security Standard, which Hannaford Bros. said it is in compliance with, is a good example of why standards are necessary. Prior to the implementation of the PCI standards in 2005, each credit card issuer operated under its own proprietary rules for securing data. Retailers had to deal with different card company regulations as they witnessed an increase in credit card breaches. The U.S. Department of Homeland Security has put the cost of credit and charge card fraud as high as $500 million a year.
The PCI standards were created by MasterCard, and American Express, Discover and Visa agreed to the standards in 2004. The regulations, which protect network systems from financial and data loss, went into effect the next year. However, as the Hannaford Bros. case — and previous data breaches — illustrate, these regulations have not deterred the bad guys from breaking through the firewall.
Hannaford has discovered that compliance with industry standards is no guarantee or protection against liability. The retailer is now facing at least six class-action lawsuits for the exposure of 4.2 million credit and debit card numbers. According to Hannaford, 1,800 cases of fraud were reported in connection with the incident, which was attributed to “malware,” a name for software designed to infiltrate a computer system.
While standards are necessary to simplify overall compliance and to better protect the public against data breaches, they risk lulling those involved — particularly food retailers — into a false sense of security by making them think they have done everything possible to protect themselves and their customers against loss. In examining the Hannaford breach, Dennis Fisher, executive editor, SearchSecurity.com, suggests in an April 8 editorial that blame could be placed on an industry mind-set focused on compliance with standards rather than on fixing an unsecured system. “Companies must take to heart the painful experience known as continuous process improvement and constantly work to do things better,” he writes.
The Hannaford case suggests at the very least there should have been more timely reporting of the incident to the public. There was a two-week lag from the time Hannaford discovered the breach on Feb. 27 to its announcement of the breach on March 17.
While there will always be standards, they shouldn't always be written in stone. Those responsible for securing data, including retailers, should learn there is no “gold” standard. The standards process has become a moving target that all parties need to work together on improving.