New Credit Card Breach Will Test PCI - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Information Management
10:58 AM
Connect Directly

New Credit Card Breach Will Test PCI

The latest exposure of more than 4 million credit and debit card numbers may strain the validity and stability of the credit card industry's controversial security rules.

The latest exposure of more than 4 million credit and debit card numbers may strain the validity and stability of the credit card industry's controversial security rules.Yesterday the Hannaford Bros. grocery chain announced that more than 4 million customer credit and debit card account numbers were exposed. Hannaford Bros. also happens to be in compliance with the credit card industry's security rules. (Scroll to the bottom to read the PCI compliance statement.)

The Payment Card Industry Data Security Standards (PCI DSS) were put in place by the major card brands -- including Visa and MasterCard -- to ensure that retailers take sufficient steps to protect customer card data.

The card brands, particularly Visa, have a vested interest in demonstrating that PCI makes customer card data more secure. If a PCI-compliant retailer still gets breached, that's a lot of egg on Visa's face.

So what happens next?

First, the card brands will likely conduct an investigation to determine if the retailer was compliant at the time of the breach. As I wrote in a recent cover story, the PCI standards are vague enough that the card brands can probably find enough cause to determine that Hannaford Bros. was, in fact, noncompliant at the time of the breach.

The penalties for noncompliance are significant. The card brands can fine the retailer, and raise the transaction fees levied for each credit or debit card transaction.

A finding of noncompliance also will be potent ammunition for the inevitable lawsuits that will likely emerge.

One plaintiff is likely to be the banks that issued the cards to consumers. These banks eat any fraudulent charges made on the cards, and may have to cancel existing accounts and reissue new cards. So far, 1,800 fraud cases have been reported in connection with the breach.

This wouldn't be the first time banks sued a retailer. It's exactly what happened in the TJX case: a group of banks in the Northeast sued TJX and then settled. TJX also has settled separate class-action suits brought on behalf of consumers -- and promised to have a one-day sale as part of the settlement.

And here's another wrinkle. If Hannaford Bros. is a Level-1 merchant, it had to undergo an assessment by a third party to determine PCI compliance. If the card brands rule that Hannaford is noncompliant, will Hannaford sue its assessor? If so, that could have a chilling effect on other assessors and throw a monkey wrench into the PCI compliance process.

We'll follow the story as it develops. Stay tuned.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll