On March 17 of this year, Hannaford Bros., Scarborough, Maine, stunned the food retailing industry when it announced that a data breach at the checkout lanes of its stores had exposed 4.2 million credit and debit cards to fraudulent misuse. About 1,800 cases of actual card fraud were linked to the breach.

While other food retailers have also been struck by data thieves — notably at Stop & Shop last year, and more recently at Lunardi's and BJ's Wholesale Club — the Hannaford breach is one of the largest to hit a supermarket chain.

The breach affected cards used at Hannaford's 165 stores in New England, as well as at 106 Florida stores operated by Tampa-based Sweetbay, whose IT operations are overseen by Hannaford, and at some independently owned Northeast stores that carry Hannaford products. Both Hannaford and Sweetbay are divisions of Belgium-based Delhaize Group.

Most surprising — and disconcerting — was that the breach occurred despite Hannaford's compliance with Payment Card Industry (PCI) Data Security Standards, which Visa, MasterCard and other card associations established as a major line of defense against security intrusions.

Meanwhile, the U.S. Secret Service, which is leading the criminal investigation into the breach, has not yet announced any arrests. Class action suits filed by consumers against Hannaford, which allege that the chain failed to adequately safeguard card data, are pending in U.S. Federal Court in Portland, Maine.

What has Hannaford — and, by extension, food retailers as a whole — learned from this experience?

For one thing, the breach exposed a weakness in Hannaford's card processing procedure that it has since addressed. The chain discovered that malware installed on its store servers was able to gather credit card numbers as the data was being transmitted from the card-swipe PIN pad across its private network to its centralized payment switch.

“Our customer card information is now encrypted from the [PIN pad] in the lane and remains encrypted the entire time it is on our network,” said Carol Eleazer, vice president of marketing for Hannaford, who has served as the company's spokesperson on the breach. In the past, the data was encrypted during “part of the trip” through Hannaford's private processing network, she noted. PCI standards require encryption for data in transit on public networks but not on private ones.

Hannaford is in the process of rolling out new PIN pads, the MX830 terminal from VeriFone, San Jose, Calif., and is expected to finish in October. As part of that rollout, the chain is implementing what is called TDES (triple data encryption standard) PIN encryption, which Eleazer described as the “highest possible level of PIN encryption.”

Hannaford's current and new PIN pads meet the PCI PED (PIN entry device) data security standard established by the credit card associations for these devices. All transaction terminals sold since January have been upgraded to this standard, said Jeff Wakefield, vice president of marketing, retail systems, for VeriFone.