IP Spotlight

A recent data security breach at the related Hannaford and Sweetbay grocery chains raised questions about what is required to comply with the PCI standards.  To some readers, the questions included:  What are the PCI data security standards, and do they have the effect of law? 

According to published reports, approximately 4.2 million credit and debit card numbers and expiration dates were illegally accessed.  The Boston Globe, among others, reported that this occurred despite the fact that an auditing firm recently found Hannaford to be in compliance with the PCI Data Security Standard (PCI-DSS) for payment account data security. 

How did this happen?  Although complete details are not yet publicly available (and perhaps not yet known), MIT’s Technology Review suggests that the data may have been exposed while the stores transmitted the data to obtain authorization for credit card transactions. 

The PCI-DSS is published by the PCI Security Standards Council, an organization founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International to develop and deploy security standards for payment account data.  The PCI-DSS established 6 principles and 12 accompanying requirements for data security.  The requirements include the encryption of cardholder data that travels across open, public networks, as well as regular testing of security systems and processes.   The PCI Security Standards Council also defines qualifications and credentials for Qualified Security Assessors and Approved Scanning vendors. 

The PCI-DSS is likely to receive a fair amount of attention this year:  states such as Wisconsin , Illinois, Connecticut and Massachusetts have recently considered adopting portions of the PCI data security standard as law, and Minnesota already did so in 2007.  A more stringent law passed the California legislature in 2007 but was vetoed by the Governor.  An attempt to pass a similar law in Texas also failed last year.