Hannaford CIO: We Need To Spend Millions, Go Well Beyond PCI
Written by Evan SchumanApril 25th, 2008
Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his grocery chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars "but not tens of millions."
Homa called a news conference to detail some of those planned security improvements, including Triple DES PIN encryption ("customer card information is now encrypted from the PINpad at the store register and remains encrypted while it's in our own internal network"), host and network intrusion prevention systems ("to proactively prevent malware from being installed in our systems") and better payment segmentation.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
4 Comments | Read Hannaford CIO: We Need To Spend Millions, Go Well Beyond PCI
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Ed
April 25th, 2008 at 6:57 am
Excellent article. More details than I’ve seen anywhere else on Hannaford.
April 25th, 2008 at 7:54 am
Talk about jumping off the deep end. While I applaud Mr. Homa’s reaction to what is, clearly, a major security breach, I don’t see why he is installing “military” grade security. His answer is to simply “remove” the sensitive payment card data from his system. If you eliminate the data, you eliminate the risk. Replace the data with something that still offers his stores with valuable information, but is not “actual” card data. There are a couple companies out there that offer data replacement technology. My guess is that they are significantly less expensive and more secure than the thickest walls Mr. Homa can build around his data. If I were on Mr. Homa’s Board of Directors, I would be upset to learn that there was a better solution available – for far less money.
April 25th, 2008 at 9:53 am
Very informative article. One item that stood out was that Hannaford is “replacing equipment that is perfectly good†because they lack the security requirements.
This is a problem faced by many retailers. They believe, or have been led to believe, that they need to replace existing equipment with very expensive new equipment to gain security requirements. Not only is this not true but it comes with a high price tag and also requires retraining staff and managing compatibility issues, as well as other issues.
It is possible to keep perfectly good equipment in place and add security software for a fraction of the cost.
Hopefully, retailers will begin to realize this and not feel they are required to replace existing, perfectly good equipment.
August 7th, 2008 at 9:45 pm
This is a classic example of a client in denial, someone refusing to look and consider the facts. They were just simply trying to get by with the minimum effort.
Too bad for their employees, the pig-headedness of the IT management will continue to cost them millions upon millions.
Shame on this company.