Post on: PCI may never stop hackers | Retail Information Security

Retail & Hospitality Information Security (including PCI)

Home » PCI Philosophy / Approach, Retailers

PCI May Never Stop Hackers: Time to Rethink Security | News | RIS News: Business/Technology Insights for Retail, Supermarket Executives

31 July 2008

View comments

This is an article from March of this year that was published in RIS news. I realize it’s a little old, but I just stumbled across it…

PCI May Never Stop Hackers: Time to Rethink Security | News | RIS News: Business/Technology Insights for Retail, Supermarket Executives.

This article, in my opinion is both good and bad - first of all, it points out that PCI is not the end-all-be-all for security.

That’s good - it’s important for retailers to understand that PCI is just a ’snap-shot in time’ check on credit-card relevant security. It isn’t a ‘complete’ security certification and doesn’t cover absolutely everything that a retail organization needs to worry about regarding its environment.

This is really important - just because you are were PCI-compliant at the time of your last scan, doesn’t mean that you are compliant now and it doesn’t mean that your environment isn’t vulnerable in some manner outside the scope of PCI.

The way that this article is not so good (at least in my opinion) - the quote from the NRF exec - ‘Hannaford was PCI compliant at the time of the data breach. The bottom line is that this retailer did all it could to protect its customers.’

Since the breach, Hannaford is investing in what is termed ‘military grade’ security. That means that it hadn’t done ‘all it could do to protect its customers.’ I’m not blaming Hannaford for not investing in a level of technology that was seemingly uncalled for, I’m just saying that the NRF executive positioning a PCI-compliant stamp as the final word in security isn’t really accurate.

I realize that its NRF’s job to support and position for retailers and the real message of this article is the idea of ‘misplaced’ liability and exposure - if Hannaford was PCI-compliant and they were breached, how can VISA and MC and the courts hold Hannaford responsible for the situation?

Truthfully, I don’t know what to think about that part of it - they did what was asked of them and it didn’t work, so who should hold the bag? I really need to dig into this more deeply and also the entire Hannaford situation - I’ve spoken to Bill Homa a few times over the years and he’s a very, very intelligent CIO. I want to understand better what constituted ‘PCI-compliance’ and how that was scanned/determined - and how it was presented to Hannaford - was it presented as a complete security scan or what…

View the entire comment thread.

Newsletter

Site Feeds

RSS Feed

Shared Articles

Disclaimer

Views and opinions expressed in this blog are mine and mine alone (unless I'm commenting on someone else's post or something). This blog is entirely independent from any corporate entity and does not, necessarily, reflect the views and opinions of any company that I work for or with. Thanks.

Connect

I'm all for connecting - here are the tools that I use online to connect to people and the community. This link presents a lot of connection options including LinkedIn and Facebook...

LinkedIn Directly

Visit Our Sponsors

Get Free Shipping on Orders of $69 or More.

Photo Attributions

The photos that I'm now using on the site are all from Flickr and the creators were kind enough to release them under CC. Some of them are attributed in the posts, but the thumbnails are not:

welome (the enter sign)
Uploaded on September 14, 2008
by Robert Couse-Baker

Security (the safe)
Uploaded on February 25, 2008
by Anonymous Account

Osco Drug, Salem NH (the outside of the store)
Uploaded on September 16, 2008
by NNECAPA

locked steel (the lock)
Uploaded on December 13, 2006
by Darwin Bell

Credit Card Theft (the hand)
Uploaded on October 16, 2007
by Don Hankins