Homa called a news conference to detail some of those planned security improvements, including Triple DES PIN encryption ("customer card information is now encrypted from the PINpad at the store register and remains encrypted while it's in our own internal network"), host and network intrusion prevention systems ("to proactively prevent malware from being installed in our systems") and better payment segmentation.
He also—inexplicably—used the news conference to announce that Hannaford was "the first retailer in Maine" to have a Cisco Certified Internetwork Expert (CCIE) on the payroll. Wonder if they'll call another news conference if that employee leaves?
The intrusion tracking system is something Hannaford has turned over to IBM, and Homa detailed what his concerns were. "One of the learnings of the breach is that we don't have enough eyes and hands to watch all the false positive intrusions that happen in a vast network. You have millions and millions of people pinging your IP address," he said. "So we decided to turn that over to IBM and (have them) report back to us when we have something to investigate."
Beyond IBM, Homa said vendors that his team is working with on the security upgrades include General Dynamics, Cisco and Microsoft. He also confirmed that their PCI assessor is Verizon Business Services (formerly Cybertrust), which was also the initial assessor of TJX.
The encryption upgrades at POS will take another two to three months to complete, Homa said. "In many cases, we're replacing equipment that is perfectly good except that it's been obsoleted by the requirement for additional security," he said.
The host intrusion prevention system (HIPS) has not yet been awarded ("we're in the middle of picking a software vendor") so "it will probably be the end of the year before we have that fully implemented in all of our stores."
They are also implementing ISO 27001 processing that Homa estimated would take "a year to 18 months before it's fully implemented."
He wouldn't specify the estimated cost beyond the millions but "not tens of millions" comment, other than to say that HIPS could cost "as much as $5,000 per store, so it starts to add up."
Other new details that cropped up during the call or shortly before:
Even though many E-commerce sites ask for the CVV, they are really asking for the CVV-2 if it's a Visa card, the CID for American Express and the CVC2 for MasterCard. No matter. The magic number that E-tailers ask for—no matter what it's called—wasn't taken, Eleazer said this week.