Hannaford may not have to pay banks' breach costs under PCI, says Gartner
The company says it was in compliance with PCI rules
Computerworld - If Hannaford Bros. Co. was compliant with the Payment Card Industry (PCI) Data Security Standard at the time it was breached, banks and credit unions will have a hard time getting the supermarket chain to pay their breach-related costs, according to a Gartner Inc. analyst.
PCI refers to a set of 12 broad security controls that all entities accepting payment-card transactions are required to follow. The standards are mandated by Visa, MasterCard and other major credit card brands and provide for hefty fines against companies that fail to implement the mandated controls and then suffer breaches. The PCI requirements went into effect about two years ago, though many companies are still not fully complaint.
Scarborough, Maine-based Hannaford has said it was PCI-compliant at the time its data was compromised. It disclosed on March 17 that unknown intruders had broken into its computer networks and stolen credit and debit card information on 4.2 million customers. The company said the thefts appear to have happened during the transaction-authorization stage, which occurs after a payment card has been swiped at a register. The stolen information includes card numbers and expiration dates.
Hannaford spokeswoman Carol Eleazer today said the company was certified as being compliant with PCI as recently as this February. Hannaford had been similarly certified last year, Eleazer said.
If true, Hannaford has a safe harbor under PCI and will not be required to reimburse banks and credit unions for any breach-related costs they may incur, according to information that Gartner analyst Avivah Litan said she has previously received from Visa Inc. Typically under PCI rules, if a company is noncompliant at the time of a beach, it faces two potential costs: fines from the payment-card companies and reimbursements of breach-related costs sustained by card-issuing banks and credit unions. Those costs can include payment of fraud losses resulting from the use of compromised payment-card data as well as breach notification and the costs associated with reissuing cards.
The fines and the reimbursement costs are not collected directly from the breached entity but through the "acquiring bank" that authorizes a company such as Hannaford to accept payment-card transactions. Under PCI rules, it is these acquiring banks that are directly responsible for ensuring that their merchants are PCI-compliant.
In Hannaford's case, while its acquiring bank may still get hit with a fine, "the buck stops there," Litan said. "Under the guidance Visa gave me, the acquiring bank wouldn't be able to take it back to the retailer," she said.
The issue of costs associated with breaches is becoming an increasingly prickly one in the payment-card industry. Credit unions and smaller banks, in particular, have been fretting for some time over the costs they have had to bear because of retail data compromises. In the past, they have said such costs can be as high as $20 to $30 for each card they replace after a data compromise.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts