PCI Safe Harbor? In Your Dreams, Breach Boy

If there's one thing that can be said about CFOs, they love their absolutes. (No, not the vodka. Well, not for all of them, at least.) They love absolute assurances that if they do X-and-Y, they'll be protected against Z.

They like to buy liability insurance, buying into the line that shareholder assets will then be safe no matter what that boneheaded new Operations VP does in a year. They like Poison Pill plans, believing their lawyers that it will prevent them from ever being taken over.

And, most recently, they are simply ga-ga for those who say that a PCI compliance letter means they are in a magical safe harbor, where they can do anything with their security that they want and be utterly immune from liability.

Like the embassy staffer who commits violent crimes behind the diplomatic immunity shield, only to find his government turning him over to the home country, there is hardly any absolute immunity, certainly not when it comes to retail security and the U.S. legal system.

This is becoming an issue because of the continuing fallout from the Hannaford breach of 4.2 million payment cards and the merchant's position—apparently buttressed by copies of a sanitized PCI compliance report that it's taken to showing people—that it was PCI compliant at the time of the breach.

Setting aside the arguments we made last week about what PCI compliance does—and, more importantly, doesn't—mean, this issue involves whether PCI compliance shields a retailer—puts them into a legal "safe harbor"—as to any losses that result from that breach. Some media reports—such as this one from Computerworld--are suggesting that a PCI compliant letter is indeed some Superman shield against lawsuit kryptonite.

The truth is that such safe harbors don't exist. Clearly, a retailer defending against data breach costs would rather have a PCI compliant certificate than not. And TJX—which was about as non-compliant as a merchant could get—fared quite well in its legal battles, even reversing a Visa fine.

But PCI compliance merely refers to one point in time. For most Level Ones, that's a brief point in time once a year. Do those CFOs actually believe that they can take a PCI compliance letter, frame it and stick it on their wall and then have cart blanche for 10 months to engage in whatever reckless security move they feel like, utterly immune from any resulting damages?

In the Hannaford case, much is still unknown. What if it's established—and I should stress that I have seen absolutely nothing to indicate this is the case—that the PCI assessment was performed improperly? What if the assessment was performed properly, but Hannaford answered the questions in an incomplete, misleading or otherwise erroneous way?

Let's take it to the next step. Assuming that the assessment was done properly and that—for the sake of discussion—Hannaford was truly compliant with the letter and the intent of PCI at the time of its assessment, what if Hannaford officials started violating PCI procedures an hour after the assessment was completed? What if one of those PCI aberrations was a direct cause of the breach? Should those officials still be held blameless, merely because they were technically PCI compliant?

Here's where things get really interesting. Let's say that, theoretically, Hannaford complied with PCI by encrypting data when it was being transmitted over the Internet but what if the data was accessed as it was moved--unencrypted—through an internal network, which was one of the problems with TJX. Officially, that particular act was not in violation of PCI requirements, but if it was the cause of the breach, should Hannaford officials in that scenario be held blameless? What if hypothetically many retail security experts testified that the conduct was reckless, even though it was not forbidden by PCI? Are CFOs to believe they will be held blameless regardless of whatever facts are established?

PCI compliance shouldn't—and, in my opinion, likely won't—provide this absolute legal protection being touted. The intent was always that if a retailer could establish that they consistently did everything they could have done—and should have done—properly in terms of data protection, that they would then have their liability severely limited. That makes sense. But to project that on a once-a-year declaration of compliance from one assessor based on fragmentary examination of a single point-in-time—working with an imperfect list of interpretable guidelines—is little more than ludicrous.

In short, rely on this safe harbor promise and you might find your safe battleship is named Titanic.