Hannafords: there's no excuse

Here we go again. Over the last 12 months my family has had to replace two of the four credit cards in our wallets thanks to security breaches by retailers who can't seem to follow the rules. Now we're about to replace two more.

Our first problems arose in the wake of the TJX data breach last year. Thanks to Hannaford's announcement yesterday of its own security breach, it looks like we may need to replace two more. Because many consumers use Visa and MasterCard debit cards in grocery stores, the affect of the Hannaford breach could be much worse for consumers than the TJX break-in.

What is it about the Payment Card Industry Security Council's security requirements that these companies don't understand? The 12 basic rules for retailers who accept credit and debit cards, known as the PCI Security Standard - have been in place since 2006. There's nothing exotic here. These are common sense security practices that the industry should have been doing for years - but hasn't. When is this industry going to wake up?

Related Items

  • Update: New retail data breach may have affected millions of Hannaford shoppers
  • Douglas Schweitzer: East Coast grocery chain security breach
  • TJX broke commandment number three: Thou shalt protect stored cardholder data. The result: 45.6 million card numbers and associated information stolen, including mine. Apparently, the stolen data included some personal identity information that never should have been stored in the first place. The cost: $150 million to settle a class action lawsuit plus other undisclosed costs associated with remedying the problem within TJX and with the business partners and banks who lost money issuing new cards and cleaning up the mess.

    You would think that incident would have served as a wake up call, and that the enormous cost to TJX would have sent other retailers scrambling to meet the PCI's basic security requirements. Apparently not.

    Now it appears that Hannaford broke the fourth commandment: Thou shalt encrypt transmission of cardholder data. According to a Computerworld news story, as many as 4.2 million credit and debit card numbers and expiration dates were stolen while being transmitted, resulting in some 1,800 fraudulent transactions since late December. If the trajectory of this story follows that of the TJX episode, that's probably just the start of the bad news.

    The two cards we use regularly at Hannaford are MasterCard debit cards. Because so many people use Visa and MasterCard debit cards to buy groceries, this data breach could create much bigger headaches for affected consumers. With a credit card you can challenge a transaction and you're not responsible for it. But a breach on a debit card can temporarily freeze access to funds in your checking account while the bank, card processor and retailer sort things out. To get things straightened out, you'll need to come into the bank and file a "dispute resolution form." While some banks will issue "provisional credit" at this point to cover the amount the fraudulent transactions drained from your account, it's possible that your money can be tied up money for days - or possibly weeks. Now is a good time to check your bank's policy.

    If your card is among those possibly compromised, the smart thing to do is demand a new card right away. Because it costs them money to reissue a card, many banks will try to talk you out of it, saying that they can monitor your account for inappropriate activity and let you know if something goes awry. But by that time it's too late. Your financial life is disrupted.

    For us, cancelling a card is also disruptive because our bank takes two weeks to issue a new one. While our bank uses an external credit card processor to issue its cards, the local credit union cuts its own cards. When I cancelled my Visa card last year after receiving notification that my card might be affected by the TJX scandal, I had a new card the same day. (Yet another benefit to keeping your banking local). What does your bank do? Maybe it's time to check.

    This time around, and with so many debit cards at risk, many consumers who receive "the letter" may not follow the banks' advice and wait around to see if fraudulent transactions actually appear. And why should they absorb that risk because a retailer had sloppy security practices? The consumer's one avenue of protest is to demand a new card up front. Indeed, if every consumer whose card data was put at risk by doing business at Hannaford demanded a new card the financial pressure for change would be enormous. In this recalcitrant industry, that may be the only sure path to change.


    Copyright © 2008 IDG Communications, Inc.

    7 inconvenient truths about the hybrid work trend
    Shop Tech Products at Amazon