Credit Security

My wife and I have still continued to shop at Hannaford. Since listening to a prior NPR show interviewing Frank Abagnale Jr. (Catch Me If You Can subject) I have been using credit cards over debit cards solely due to liability protection differences. I also review transactions on all my accounts sometimes more than weekly.

My Discover Card now has an option to select random card numbers linked to my actual number to provide to vendors particularly online that has a one vendor use lock. This weekend while ordering tickets at cheapoair.com I ran into the security when cheapoair had to call me because my card was locked. This happened because they were making separate charges to my card under two different merchant numbers (normal for their process) but not doable under the Discover Security parameters.

It would be nice to set up with regular vendors like Hannaford a 'back-to-the-past' customer account using these secure numbers tied to one vendor. Then we would just use our customer ID and pins to pay for the groceries which would be charged to that credit card account locked for use to this one vendor.

Lisa - Franklin

That was an excellent program today.

I was on a PCI panel at SecureWorld Boston just this week, and unsurprisingly many of these issues came up among us panelists and from attendee questions. Two key ones were left only lightly addressed on the show today:

First, why doesn't the payment card industry (PCI) typically tell you the name of the store at which your card was compromised? Well, the answer is several-fold. The banks already limit the consumer's exposure because banks want to ensure consumers feel safe using the cards, so there isn't much additional benefit to disclosing the compromised store name. Sometimes the banks catch the compromises early through the use of software designed to notice suspicious activity, and they don't know where the card data was stolen. Critically, the banks and card service companies want stores to report issues as soon as possible, and the stores would have a strong negative incentive if they knew that informing the card services company meant instant public disclosure. The technical PCI standards that stores must meet are designed to reduce the risk to the member banks at the lowest possible cost to the banks - after all, they are engaged in the business of managing fiscal risk. Finally, the type of information covered by data breach/privacy laws (personally-identifiable/identification data) typically isn't considered to include credit/debit cards, because those numbers are readily changed and consumers' exposure is limited by law and by their card contracts.

Second, what happened at Hannaford? Avi sagely pointed out that there is no telling quite what happened without more detail, and that compromise of end-point hosts where the card data is processed (and is therefore in an unencrypted form) is most likely. But note that the Boston Globe reported that Hannaford's senior counsel disclosed to the MA Attorney General's office this week that a server at each Hannaford Bros. store had software installed to capture and send off card information. The full story on that is here: http://www.boston.com/news/local/articles/2008/03/28/advanced_tactic_tar...

That revelation raises the real question, which isn't "why didn't being PCI certified make Hannaford immune to attack," but "how did almost 300 compromised systems go unnoticed for months?" The answer could point back to the system's maker, to Hannaford processes, to an insider knowing how to hide the software, to the evolving sophistication of international organized crime, to an insufficient PCI audit, or to the PCI standards simply falling short by not requiring systems change monitoring.