Hannaford's network includes not only its transaction network but “wherever customer data resides,” such as its website and pharmacy system, she noted. “When we look at ISO, we're looking at our networks and computer systems broadly and holistically to make sure we have the appropriate firewalls, segmentation and intrusion detection — both at retail and at corporate headquarters.”

Hannaford established a customer service line to receive calls about the breach. These days, “we get a couple of calls here and there,” said Eleazer. “Overall, we have found customers to be incredibly understanding and supportive. It's a tribute to the relationship our managers and associates have with our customers.” Sales “remain within our expectations.”

Prior to the discovery of the breach, Hannaford had been certified as PCI-compliant in February of 2007 and 2008. However, the breach caused the chain to immediately lose its certification. “We're working now to be recertified as PCI-compliant,” said Eleazer.

Though it declines to say if it has reacted specifically to the Hannaford breach, since March the PCI Security Standards Council, Wakefield, Mass., which oversees the PCI standards, has acted to enhance the standards.

For example, it has announced plans to roll out a new version of the PCI standards — PCI DSS version 1.2 — in October, in part to “address new and evolving risks and threats,” according to a statement from the council. The changes, while “not dramatic, will take into account feedback from the retail community, including food retailers,” said Ella Nevill, a spokeswoman for the organization.

In April, the council announced the availability of two “information supplements” for the current standards. One addresses “penetration testing,” which helps to ensure that networks and applications are protected from outside intrusion.

Also in April, the council announced the release of version 1.1 of the Payment Application Data Security Standard (PA-DSS), and in September plans to provide a list of validated applications. These are applications that store, process or transmit cardholder data as part of authorization or settlement.

PCI security standards are still considered inadequate in some quarters. “PCI compliance is part of the process, but it doesn't guarantee you're safe,” said Dave Hogan, CIO for the National Retail Federation.

Hogan would like to see the credit card industry go well beyond PCI standards, including the development of a “more secure payment method.” One example is the microchip and PIN system used with credit cards in the United Kingdom, or at a minimum the use of a PIN with credit card payments.

In the Hannaford breach, signature-based debit cards were affected but PINs were never exposed.

7/'10
The deadline for using terminals deemed PCI PED- or Visa PED-compliant
Source: MasterCard