Protecting yourself

PCI compliance not enough to end breaches

Emily Crone

A credit card industry group, the Payment Card Industry Security Standards Council, or PCI, exists to manage data protection standards. It is on the credit card brands to enforce them and issue fines and penalties, however, as each credit card company has its own compliance program . Some PCI standards include encryption or masking of customer data, updated antivirus software, use of firewalls and restriction of access to card data.

Unfortunately, some retailers who do comply with PCI standards still fall victim to data breaches, the Wall Street Journal reports.

How is this possible?
Glenn Boyet, director of marketing and communications for the PCI standards council, says there is an important difference between PCI compliance and validation.”PCI validation is one snapshot in time — an assesser validates that a merchant is compliant at one point in time. But compliance is neverending,” he says. “The moment you make a change to your network infrastructure, you could be integrating new problems you didn’t think of. One piece of code could theoretically put you out of compliance.”

Boyet stresses that compliance with PCI standards is not simply a matter of checking off a box and being done with it. “You’re never really done with it. Companies who were breached argue that they were validated at that time, but the breaches could have conceivably come from a change in a code,” he says. “Being validated at one snapshot in time is not the end of the game. Being compliant is about overall data security and having appropriate plans that are always ongoing.”

Going above and beyond
Hannaford Bros., a New England supermarket chain, received a certificate of compliance from PCI in February. On the same day the certificate was received, the company’s credit card processor informed the company that the data for 4.2 million cards may have been stolen. Stolen credit card data often leads to identity theft and fraud.

“PCI is a good place to start but retailers are going to have to go above and beyond PCI,” Bill Homa, Hannaford’s chief information officer, tells the Journal. Okemo Mountain Resort in Vermont had a data breach in which card data for 50,000 customers was lost — even though the business was compliant with PCI standards. “We did everything we were supposed to do,” the spokeswoman from the resort says.

Additional precautions
Last week, Hannaford announced it was adopting two additional safety precautions not required by PCI: Round-the-clock security monitoring and detection service to track all user logins, and a new process that encrypts customer card information starting when the card is swiped at the cash register, “so that data is scrambled all the way to the company’s corporate servers, from where it is sent to the credit card company,” the Journal reports.

That additional encryption is important because in the data breaches at Hannaford and Okemo, “hackers managed to install malicious software into the companies’ private networks to steal credit card information being transmitted to processors for approval,” the Journal reports. Avivah Litan, a security analyst for Gartner Inc., tells the Journal, “This kind of attack would not have been possible if the credit card data had been encrypted.”

Changing standards
PCI’s standards are based on the advice of more than 500 data-security specialists, and PCI General Manager Bob Russo tells the journal that PCI believes its standards are adequate. PCI is still awaiting the results of the investigations into the breaches at Hannaford and Okemo Resort, however, and will immediately address the need for different standards if necessary.

The one perk of the data breaches is they are giving PCI insight into how hackers work and teaching them how to upgrade its standards.” In February, PCI required merchants to ensure that PIN pads are tamper proof and their credit card data are rendered useless if they are opened,” the journal reports. “The requirement follows a theft last year where thieves stole PIN pads from Dutch retailer Royal Ahold NV’s Stop & Shop stores in the Northeast U.S. and accessed customers’ debit-card passwords.”

PCI will introduce new standards on June 30 that involve firewalls, and in September will toughen standards for wireless transmissions, card preauthorization procedures and software applications that handle credit card data, the Journal reports.

According to the Journal, in January, 77 percent of Visa’s largest U.S. merchants were compliant with PCI standards (up from 12 percent in 2006). Only 15 percent of mid-size merchants were compliant in 2006, and 62 percent are compliant now. That still leaves a large gap. If you are concerned for the safety of your credit card information, you should shop at large, trusted merchants, which are more likely to have higher security standards. Smaller merchants and Web sites are often lagging in safety.

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, we ask that you do not disclose confidential or personal information such as your bank account numbers, social security numbers, etc. Keep in mind that anything you post may be disclosed, published, transmitted or reused.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.