As we all saw, New England supermarket chain, Hannaford Bros., recently discovered a potential 4.2 million credit card data breach; despite the fact that they had been told they were PCI compliant. According to this WSJ article, the data was exposed while transmitted over the (unencrypted) internal network. Anyone familiar with the PCI Standard is aware that it provides explicit instruction to “encrypt transmission of cardholder data across open, public networks,” which was a control measure that was in place.
So what went wrong? Did they do what was necessary to really ensure compliance? Is there a problem with how compliance is being measured, which may lull an organization into thinking they are protecting cardholder data when in fact controls are weak or lacking?
We would argue that Hannaford Bros. fell into the same trap that many organizations fall into. How would you propose these organizations ensure their compliance with the PCI Standard? What, if anything, is missing?
No related articles.
