Grocery retailer Hannaford recently experienced a security breach resulting in the loss of around 4 million credit card numbers, resulting in an already suspected 2000 cases of fraud. Lots of people are up in arms about this and two lawsuits have already been filed. As someone who works in the security industry I was rather amused at the comments about how "troubling this is because Hannaford was PCI compliant".
PCI compliance was a standard created by a consortium of companies that requires merchants handling credit card data to adhere to certain security standards and guildelines. PCI details are here. While PCI is a right step forward it does not "make someone safe from breach". It has some pretty generic wording like "must have a firewall installed and maintained". What type type of firewall? What does maintained mean? What if there are no rules in the firewall to block data? What should I be logging? What if I’m using anti-virus software but it sucks? PCI doesn’t cover that sort of stuff. Nor does it cover patching and hardening of computer systems which appears to be the cause of this recent computer breach (malware was placed on PCs that stole the data).
The best defense is to be diligent and limit your credit card usage. However, there will always be cases like this where there is not much you – the consumer – can do about. Not using charge cards is not really an option and any time you use them puts you at a risk. But then again, so does driving a car, swimming in the ocean, living in tornado, hurricane or earthquake prone areas. Sometimes we just accept certain risk and move on with our lives. I know for my part, whenever I am working at a company I take my security role seriously and think – what if I was a customer or client of this company and how would I want them to protect me data?