Skip navigation

Filling the Breach

On March 17 of this year, Hannaford Bros., Scarborough, Maine, stunned the food retailing industry when it announced that a data breach at the checkout lanes of its stores had exposed 4.2 million credit and debit cards to fraudulent misuse. About 1,800 cases of actual card fraud were linked to the breach. While other food retailers have also been struck by data thieves notably at Stop & Shop last

On March 17 of this year, Hannaford Bros., Scarborough, Maine, stunned the food retailing industry when it announced that a data breach at the checkout lanes of its stores had exposed 4.2 million credit and debit cards to fraudulent misuse. About 1,800 cases of actual card fraud were linked to the breach.

While other food retailers have also been struck by data thieves — notably at Stop & Shop last year, and more recently at Lunardi's and BJ's Wholesale Club — the Hannaford breach is one of the largest to hit a supermarket chain.

The breach affected cards used at Hannaford's 165 stores in New England, as well as at 106 Florida stores operated by Tampa-based Sweetbay, whose IT operations are overseen by Hannaford, and at some independently owned Northeast stores that carry Hannaford products. Both Hannaford and Sweetbay are divisions of Belgium-based Delhaize Group.

Most surprising — and disconcerting — was that the breach occurred despite Hannaford's compliance with Payment Card Industry (PCI) Data Security Standards, which Visa, MasterCard and other card associations established as a major line of defense against security intrusions.

Meanwhile, the U.S. Secret Service, which is leading the criminal investigation into the breach, has not yet announced any arrests. Class action suits filed by consumers against Hannaford, which allege that the chain failed to adequately safeguard card data, are pending in U.S. Federal Court in Portland, Maine.

What has Hannaford — and, by extension, food retailers as a whole — learned from this experience?

For one thing, the breach exposed a weakness in Hannaford's card processing procedure that it has since addressed. The chain discovered that malware installed on its store servers was able to gather credit card numbers as the data was being transmitted from the card-swipe PIN pad across its private network to its centralized payment switch.

“Our customer card information is now encrypted from the [PIN pad] in the lane and remains encrypted the entire time it is on our network,” said Carol Eleazer, vice president of marketing for Hannaford, who has served as the company's spokesperson on the breach. In the past, the data was encrypted during “part of the trip” through Hannaford's private processing network, she noted. PCI standards require encryption for data in transit on public networks but not on private ones.

Hannaford is in the process of rolling out new PIN pads, the MX830 terminal from VeriFone, San Jose, Calif., and is expected to finish in October. As part of that rollout, the chain is implementing what is called TDES (triple data encryption standard) PIN encryption, which Eleazer described as the “highest possible level of PIN encryption.”

Hannaford's current and new PIN pads meet the PCI PED (PIN entry device) data security standard established by the credit card associations for these devices. All transaction terminals sold since January have been upgraded to this standard, said Jeff Wakefield, vice president of marketing, retail systems, for VeriFone.

Moreover, said Wakefield, PCI PED was incorporated into the overall PCI standards this year. Retailers will be required to use PCI PED terminals (or, at a minimum, terminals adhering to Visa PED) by July 2010, though he characterized retailers not using them now as “sitting ducks” for data hackers. “Criminals understand how to breach those [pre-PCI PED] products.”

In April, VeriFone, in concert with Semtek, San Diego, introduced a data security system, VeriShield Protect, designed to prevent the kind of data breach that Hannaford experienced. Using an encryption process called H (hidden)-TDES, the system encrypts card data “as soon as the card is slid through the mag-stripe reader,” said Wakefield. When the data reaches its destination, such as at an acquirer bank or the merchant's headquarters, it is decrypted via a host security module.

Family Dollar, Matthews, N.C., which operates 6,500 stores nationally, announced in April that it will deploy the VeriShield Protect system in conjunction with VeriFone's MX830 payment terminals. The system “ensures that our stores do not store or transmit any consumer card account data that could be compromised,” said Josh Jewett, chief information officer, Family Dollar, in a statement.

Wakefield said the cost of the service for a 100-store chain is under $2,000 per store, plus a per-transaction fee that is less than a penny.

Military-Style Measures
In addition to securing card data in transit, Hannaford has taken a number of other steps to beef up security. It has partnered with a slew of technology vendors, including General Dynamics, Cisco, IBM and Microsoft to apply measures “borrowed from the military and industry for the retail environment,” said Eleazer. The overall investment, aimed at making Hannaford “a leader” in providing a secure shopping environment, “will be counted in the millions of dollars.”

“The security bar gets raised all of the time,” she noted. “Security is not a point in time or a single event. It's an ever-escalating threshold and a continuous process.”

Among Hannaford's other security measures:

  • It has installed a 24-by-7 security monitoring and intrusion detection service managed by IBM that provides “real-time alerts on intrusive traffic,” said Eleazer. This would prevent delays between the initiation of a breach and its discovery by the chain. When Hannaford discovered its breach in February as a result of consumer fraud tied to it, the intrusion had been taking place since December.
  • The chain is installing a Network Intrusion Prevention System, which will be followed by the installation of a Host Intrusion Prevention System.
  • The chain has committed to launch a “holistic” information security management system based on ISO 27001 standards. “We have convened a governance group and are actively in the process of applying those standards to our network security,” Eleazer said. “ISO standards are more about the process around network security than about software fixes.”

Hannaford's network includes not only its transaction network but “wherever customer data resides,” such as its website and pharmacy system, she noted. “When we look at ISO, we're looking at our networks and computer systems broadly and holistically to make sure we have the appropriate firewalls, segmentation and intrusion detection — both at retail and at corporate headquarters.”

Hannaford established a customer service line to receive calls about the breach. These days, “we get a couple of calls here and there,” said Eleazer. “Overall, we have found customers to be incredibly understanding and supportive. It's a tribute to the relationship our managers and associates have with our customers.” Sales “remain within our expectations.”

Prior to the discovery of the breach, Hannaford had been certified as PCI-compliant in February of 2007 and 2008. However, the breach caused the chain to immediately lose its certification. “We're working now to be recertified as PCI-compliant,” said Eleazer.

Though it declines to say if it has reacted specifically to the Hannaford breach, since March the PCI Security Standards Council, Wakefield, Mass., which oversees the PCI standards, has acted to enhance the standards.

For example, it has announced plans to roll out a new version of the PCI standards — PCI DSS version 1.2 — in October, in part to “address new and evolving risks and threats,” according to a statement from the council. The changes, while “not dramatic, will take into account feedback from the retail community, including food retailers,” said Ella Nevill, a spokeswoman for the organization.

In April, the council announced the availability of two “information supplements” for the current standards. One addresses “penetration testing,” which helps to ensure that networks and applications are protected from outside intrusion.

Also in April, the council announced the release of version 1.1 of the Payment Application Data Security Standard (PA-DSS), and in September plans to provide a list of validated applications. These are applications that store, process or transmit cardholder data as part of authorization or settlement.

PCI security standards are still considered inadequate in some quarters. “PCI compliance is part of the process, but it doesn't guarantee you're safe,” said Dave Hogan, CIO for the National Retail Federation.

Hogan would like to see the credit card industry go well beyond PCI standards, including the development of a “more secure payment method.” One example is the microchip and PIN system used with credit cards in the United Kingdom, or at a minimum the use of a PIN with credit card payments.

In the Hannaford breach, signature-based debit cards were affected but PINs were never exposed.

7/'10
The deadline for using terminals deemed PCI PED- or Visa PED-compliant

Source: MasterCard