Shedding Light on PCI Compliance

The Hannaford Bros. breach shows once again that consumers deserve to know which retailers are in line with Payment Card Industry standards.

One of the most pressing questions in the wake of the Hannaford Bros. credit card data breach is whether the supermarket chain was in compliance with the Payment Card Industry Data Security Standard, a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

If the retailer was PCI-compliant (Payment Card Industry-compliant), that holds potential implications for the effectiveness of PCI. If Hannaford was not PCI-compliant, then consumers whose data was exposed will rightly wonder why the protocols were not followed.

A class-action suit filed March 19 on behalf of affected consumers by law firm Berger & Montague makes the answer to questions about Hannaford's PCI compliance even more critical.

However, there is one catch to ascertaining the status of Hannaford's PCI compliance at the time of the breach. There is no central body that certifies, tracks or reports retailers' PCI compliance efforts.

PCI is the panacea for everything but security. Click here to read more.

The PCI Security Standards Council-a global forum founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International-sets standards, but does not certify or enforce them. And the major credit card companies, who rely on reports from acquiring banks to determine who is following PCI protocols, do not make that information public.

Something is amiss here. Consumer concerns over the security measures (or lack thereof) protecting their sensitive personal information have never been higher. It appears that having some type of public certification for PCI-compliant retailers would go a long way toward easing some of those legitimate concerns and would benefit the retailers and credit card companies involved.

To some extent, this may be a classic situation where a need exists but there is no obvious candidate to fill it. The PCI Security Standards Council lacks the resources to serve as a true enforcement body. The retail industry, already overloaded with an endless variety of councils and forums that manage a plethora of standards, is likely not anxious to create a new standards organization. The credit card companies have already made the effort to create the PCI Security Standards Council, and the less said about asking the government to step in, the better.