I’m late here, but another very good article from StorefrontBacktalk regarding the Hannaford breach and the reaction from Bill Homa.

StorefrontBacktalk - Former Hannaford CIO: Avoid Microsoft And Change PCIs Encryption Rules.

I think this one paragraph is particularly interesting:

As for the oft-repeated song that Hannaford was breached while PCI compliant indicates some sort of a PCI indictment, Homa said it comes down to two things: “Either the standards weren’t strong enough or the assessor wasn’t doing his job.”

I think this is an interesting statement for a couple of reasons - first of all because PCI isn’t the end-all-be-all of retail information security, it’s the starting point.

PCI isn’t the all-emcompassing security standard that protects your environment, it’s the security standard that mandates best-practices as applied to your credit card/transaction data.  Yes, it’s highly invasive and it can be very expensive to invest money in the technology, in the process changes, and in the appropriate internal controls, but it’s NOT the end of security in retail.

It’s also a changing standard, but one that changes less quickly than the threats it is designed to mitigate.  Sadly, there are a lot of smart people out there trying to figure out ways of stealing credit card information and new threats are constantly showing up.  PCI can’t change quickly enough to deal with all of those threats, but a comprehensive security approach that incorporates the need to change and adapt can go a long way to helping to protect your information (including credit card data).

There’s also the point of the assessor not doing its job.  Here is a sad fact of the PCI-compliance ‘industry’ - most of the cheap, fully-automated scanning vendors out there are not doing their job.  In my opinion, their job is to help their clients become secure and to perform their work with the intention of the standards in mind, not trying to approach this as ‘how little can we do and still pass our client.’

There are lots of scanning vendors out in the market looking to provide cheap, easy PCI-compliance.  What retailers of all sizes need to understand is that PCI isn’t cheap and it isn’t easy.  Although, to contradict myself within the space of two sentences - doing it right actually IS cheap when compared to a well-published, highly public breach.

True security (and with it, PCI-compliance) is addressed by looking holistically at your environment, by involving third parties (like the acquiring bank and card processing companies), by utilizing an approach that takes advantage of automated scanning (of course), but does so on mulitple levels within an environment.

It involves business conversations regarding how your current processes work and how new ones may be needed (and how those new processes can be crafted to work effectively in your environment and culture).  It involves manual work - experienced professionals checking false positives and analyzing the results of reports to understand the true situation at hand.

I guess what this rant comes down to for me is this - PCI isn’t the silver bullet.  PCI is something that you have to do, but if you stop thinking ‘what do I have to do for PCI’, and instead start looking at ‘What do I have to do to keep my data secure, and get PCI done, too’, you are going to end up a lot better off.

The problem is, that approach takes an investment in time, the willingness to recognize that you maybe weren’t perfect, and a little more money than working with 1-dimensional vendors.  It’s actually a pretty effective investment in the long run…

There’s my two cents worth, anyway.