Moreover, said Wakefield, PCI PED was incorporated into the overall PCI standards this year. Retailers will be required to use PCI PED terminals (or, at a minimum, terminals adhering to Visa PED) by July 2010, though he characterized retailers not using them now as “sitting ducks” for data hackers. “Criminals understand how to breach those [pre-PCI PED] products.”

In April, VeriFone, in concert with Semtek, San Diego, introduced a data security system, VeriShield Protect, designed to prevent the kind of data breach that Hannaford experienced. Using an encryption process called H (hidden)-TDES, the system encrypts card data “as soon as the card is slid through the mag-stripe reader,” said Wakefield. When the data reaches its destination, such as at an acquirer bank or the merchant's headquarters, it is decrypted via a host security module.

Family Dollar, Matthews, N.C., which operates 6,500 stores nationally, announced in April that it will deploy the VeriShield Protect system in conjunction with VeriFone's MX830 payment terminals. The system “ensures that our stores do not store or transmit any consumer card account data that could be compromised,” said Josh Jewett, chief information officer, Family Dollar, in a statement.

Wakefield said the cost of the service for a 100-store chain is under $2,000 per store, plus a per-transaction fee that is less than a penny.

Military-Style Measures
In addition to securing card data in transit, Hannaford has taken a number of other steps to beef up security. It has partnered with a slew of technology vendors, including General Dynamics, Cisco, IBM and Microsoft to apply measures “borrowed from the military and industry for the retail environment,” said Eleazer. The overall investment, aimed at making Hannaford “a leader” in providing a secure shopping environment, “will be counted in the millions of dollars.”

“The security bar gets raised all of the time,” she noted. “Security is not a point in time or a single event. It's an ever-escalating threshold and a continuous process.”

Among Hannaford's other security measures:

• It has installed a 24-by-7 security monitoring and intrusion detection service managed by IBM that provides “real-time alerts on intrusive traffic,” said Eleazer. This would prevent delays between the initiation of a breach and its discovery by the chain. When Hannaford discovered its breach in February as a result of consumer fraud tied to it, the intrusion had been taking place since December.
• The chain is installing a Network Intrusion Prevention System, which will be followed by the installation of a Host Intrusion Prevention System.
• The chain has committed to launch a “holistic” information security management system based on ISO 27001 standards. “We have convened a governance group and are actively in the process of applying those standards to our network security,” Eleazer said. “ISO standards are more about the process around network security than about software fixes.”