An analyst says that it will be important to find out whether the supermarket chain was PCI-compliant.In the wake of a security breach involving the theft of more than 2,000
credit card numbers, Hannaford Bros. officials March 18 worked to ease concerns
of customers who may have been victimized.
The supermarket chain, which is based in
Scarborough,
Maine, and runs stores in
New
England and
New York
as well as Sweetbay supermarkets in
Florida,
posted a letter
on its Web site from CEO Ron Hodge, saying that the company’s systems are
among the most secure in the industry. Hodge also said that while credit and
debit card numbers and expiration dates were stolen, no personal
information—such as names and addresses—were taken.
Hodge said the data was illegally taken during the transmission of credit
card authorization.
However, the breach raises the question of what security measures were used
by Hannaford, and whether the retail chain was compliant with credit card data
security standards established by the Payment Card Industry (PCI) Security
Standards Council.
Hannaford, which has set up a special team to deal with the investigation of
and fallout from the breach, did not reply to a request for comment from eWEEK.
One analyst said it will be important to learn what security measures the
supermarket chain had in place.
Steve Rowen, an analyst with RSR Research, said that if Hannaford was
PCI-compliant during the time period the breach occurred—officials reportedly
have said they discovered the breach Feb. 27—it could have implications for
data encryption in general and PCI standards in particular.
“At first glance, it would appear that Hannaford is just another example of
a retailer who adopted the wait-and-see attitude typical of so many retailers
we've surveyed over the past years,” Rowen said. “But there are key
reasons to believe that the Hannaford breach was different. Hannaford
CEO Ron Hodge’s
statement included the perfunctory mention that the company believed its
protection methods to be strong.”
Rowen pointed to news reports in the Boston Globe indicating that Hannaford
was compliant with key industry standards, which he said further raises the
question of whether Hannaford did comply with PCI standards.
“If that does, indeed, prove true, this breach could take on an entirely
different meaning for the retail industry,” he said.
Glenn Boyet, director of marketing and communications for the PCI Security
Standards Council, said the council sets standards but does not certify or
track companies to ensure compliance.
Research shows that SMBs are consistently putting out security fires. Read more here.
A spokesperson for credit card issuer MasterCard said MasterCard monitors
PCI compliance based on regular reports from acquiring bank customers but does
not publicly comment on the reports or comment on compliance status.
Rowen said PCI compliance is simply evidence that retailers are using
business tools to protect customer information, but that by itself is not enough
to guarantee against security breaches like the one at Hannaford.
“It will likely be some time before we find out, but Hannaford may well be
the first of the ‘good guys’ taking a proactive customer data security stance
to be truly victimized,” Rowen said.
In his letter, Hodge said Hannaford is working with card issuers to ensure
those customers impacted are protected.
“We also alerted law enforcement authorities and are working closely with
them to help identify those responsible,” he said. “We realize this incident
may raise concerns and questions for our customers, and we sincerely regret any
inconvenience this attack on our system may cause you.”
Dan Berthiaume covers the retail space for eWEEK. For more industry news,
check out eWEEK.com’s Retail Site.
