What Did Hannaford Know And When Did It Know It?

Shortly after reports surfaced that the Hannaford grocery chain had been PCI compliant at the time of its data breach attack, the Web has been crawling with those questioning the value of PCI, even as the confusing preliminary details of the breach are being sorted out.

As one who has frequently used this column to point out the many flaws within PCI, please allow me to stand up and say to those PCI critics: What planet are you from that tolerates only perfect security systems?

Do they conclude from one successful burglary of a house protected by a top-notch burglar alarm and high-security deadbolts that burglar alarms and deadbolts are worthless? The fact is that burglars are sometimes professional and they can get around perfectly legitimate security devices.

That all said, this incident does allow me to bring up two PCI truths. The first is that a retailer with PCI compliance certainly does not automatically morph into a secure retailer. The checklist technique to security is better than nothing—which is what far too many retailers used to approach—but it's not ideal. It's little more than a decent starting point.

The other issue the Hannaford breach brings up is something slightly more nuanced. Was Hannaford PCI compliant—meaning that their operations were completely in concert with the PCI requirements—at the time of the breach or merely certified compliant?

That question can be broken down two further levels. An assessment—or even a true audit such as a SAS 70 Type II probe—is only looking at a snapshot in time, specifically the point in time that the assessment is taking place. There's nothing to guarantee that the retailer—with a software upgrade or some other change—wouldn't make a change a day later that would make them non-compliant.

So the first level is that it's only a snapshot. The second level is "did the assessor do a good and thorough job?" The assessment could be flawed because of—dare I say it—incompetence on the part of the assessor or because the retailer chooses to not answer certain things fully or to not be candid in what is being shown and what is being accessed.

There's also a lot of politics and conflicts of interests involved. If the assessor company is in the middle of a huge security sale to that retailer at the time, might they be more lenient? If not, might the processor or card brand be more or less strict depending on other business considerations?

The bottom line: there are plenty of reasons to remember that a PCI compliant merchant is not necessarily perpetually in line with all of the PCI recommendations. But let's assume a retailer is in line with all of the PCI regs. And let's further assume that such a truly compliant retailer got breached. Does that—and should that—say anything bad about the PCI process itself?

I'd argue that it doesn't. Certainly any process—PCI is not anywhere close to an exception—can be improved. But PCI, with all its faults, is still better than what existed before and compliant retailers are just about always much more secure than they had been. Not that they are secure, but they are merely more secure than what they used to be.

Like the food pyramid analogy that I've made in this column before, the goal of PCI is not to make retailers secure. It's to make them more secure—relatively. It's intended to inch them along to this nirvana—which they'll never reach—where they are truly secure.

Please don't give up on PCI because it's proven to not be a perfect protector. Giving up "pretty good" so that you can mount an impossible search for "absolute" is exactly what every cyberthief in Eastern Europe wants you to do.