Hannaford may not have to pay banks' breach costs under PCI

If supermarket chain Hannaford Bros. was compliant with the Payment Card Industry (PCI) Data Security Standard at the time it was breached, banks and credit unions will have a hard time getting it to pay their breach-related costs, according to a Gartner analyst.

PCI standards refer to a set of 12 broad security controls that all entities accepting payment card transactions are required to follow. The standards are mandated by Visa, MasterCard and other major credit card brands and provide for hefty fines against companies that fail to implement the mandated controls and then suffer a breach. The PCI requirements went into effect about two years ago, though many companies are still not fully complaint. (Compare Network Auditing and Compliance products)

Scarborough, Maine-based Hannaford has said it was PCI compliant at the time it was breached. It disclosed on March 17 that unknown intruders had broken into its computer networks and stolen credit and debit card information on 4.2 million customers. The company said the theft appears to have happened during the transaction-authorization stage, which occurs after a payment card has been swiped at a register. The stolen information includes card numbers and expiration dates.

Hannaford spokeswoman Carol Eleazer Thursday said the company was certified as being compliant with PCI as recently as this February. Hannaford had been similarly certified last year, as well, Eleazer said.

If true, Hannaford has a safe harbor under PCI, and will not be required to reimburse banks and credit unions for any breach-related costs they may incur, according to information Gartner analyst Avivah Litan said she has previously received from Visa. Typically under PCI rules, if a company is non-compliant at the time of a beach, it faces two potential costs: fines from the payment card companies and reimbursements of breach-related costs sustained by card-issuing banks and credit unions. Those costs can include payment of fraud losses resulting from the use of compromised payment card data as well as breach notification and the costs associated with reissuing cards.

The fines and the reimbursement costs are not collected directly from the breached entity but through the 'acquiring bank' that authorizes a company such as Hannaford to accept payment card transactions Under PCI rules, it is these acquiring banks that are directly responsible for ensuring that their merchants are PCI compliant.

In Hannaford's case, while its acquiring bank may still get hit with a fine, "the buck stops there," Litan said. "Under the guidance Visa gave me, the acquiring bank wouldn't be able to take it back to the retailer," she said.

The issue of costs associated with breaches is becoming an increasingly prickly one in the payment card industry. Credit unions and smaller banks, in particular, have been fretting for some time now over the costs they have had to bear because of retail data compromises. In the past, they have said such costs can be as high as US$20 to $30 for each card they replace after a data compromise. (Compare Data Leak Protection products)

After the massive data compromise disclosed by TJX Companies Inc. in January 2007, several credit union leagues lobbied state governments to pass laws that would hold retailers directly responsible for breach-related costs. Only Montana has passed such a law so far.

Visa did not respond to a request for comment on whether Hannaford's PCI compliance gives it safe harbor. Instead, a spokesman sent a generic statement on the Hannaford breach. The company said it is in the process of alerting card issuers about compromised accounts so they can reissue cards if need be.

"Additionally, Visa is monitoring for any related fraud on a real-time basis using our advanced technology and will continue to assist law enforcement in its efforts to find those responsible for this crime," Visa said. "It's essential that every business that handles payment card information adhere to the highest data protection standards to protect the security and privacy of their customers' financial information."

While Hannaford's compliance may give it some immunity under the PCI standard, the company could still face lawsuits from consumers and banks. Indeed, at least two such lawsuits have already been filed charging the company with negligence and breach of trust. One of the class action lawsuits was filed last week by Philadelphia-based law-firm Berger & Montague in U.S. District Court in Maine. A similar suit was filed by Bangor, Maine-based attorney Samuel Lanham Jr. on behalf of Hannaford customers in all of the states where the grocer does business.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.