Interestingly, some reporters are digging deeper to explore the implications of a PCI-compliant company suffering a payment card breach: see here.
I think we don’t have all the information so we everybody is engaging in various levels of speculation. However, we do know two facts: (1) compliance with PCI was represented in Hannaford’s privacy policy (last visited 3-21-2008); and (2) there was a breach exposing cardholder data. In my view, here are some of the possibilities (in no particular order of likelihood, and by no means an exclusive list):
(1) the qualified security assessor (QSA) (or internal assessor) may have misinterpreted or loosely interpreted a section of the PCI standard (and the reality was there were security weaknesses);
(2) the PCI compliance may have been old or outdated (e.g. they may have been PCI compliant 9 months ago, but perhaps added new systems that were not secured consistently with PCI);
(3) Hannaford may not have provided all of the information to the QSA (assuming one was used) that it needed to validate its decision (e.g. this could include mistakes in defining which parts of Hannaford’s networks were in-scope/out-of-scope);
(4) Hannaford may have been 100% PCI compliant and reasonably secure in general and just got unlucky (e.g. there is no such thing as 100% perfect security). Under this scenario, Hannaford would argue that it was not negligent because it did all the right things and that unfortunately these things just happen.
(5) Hannaford and/or its QSA may have had a security weakness or questions about an ambiguity and may have had either the PCI Council, its upstream payment processor or its merchant bank give a bad interpretation.
The interesting issue will be, assuming that some sort of negligence is shown, who was/is ultimately responsible? Hannaford? The QSA? A merchant bank that accepted Hannaford’s certification?
Much more to come on this one.
Update: well that was quick. The class actions come flooding in.