So What? Does the Hannaford breach infer PCI is a waste?

This question has been on my mind for a few weeks, and I wanted to stir the pot a bit.

Hannaford was PCI compliant at the time of the breach, so what does this really mean?

Should a company spend millions up front, when it was documented that even though they were compliant, they had to spend millions more after the fact?

What does that say about the standard itself?

What fines are going to be handed out? Is proving PCI Compliance the 'Get out of Jail Free' card and so no fines will be doled out?

If I am a company, and have followed this one, why spend the money on getting PCI compliant when it appears that even if I am, the only downside is no fines. And if the fines are less than the remediation PLUS the compliance process, what's the value to me as a business of getting compliant, vs taking out an insurance policy for $300/record at risk?

Thoughts?

pcistuff @ gmail.com

Ouch - Mastercard and TJX to Settle

I just read this article from the Boston Globe where they are reporting a $24M settlement between Mastercard and TJX. Ouch!



Framingham retailer TJX Cos. reached a settlement with MasterCard Inc. in which it will pay up to $24 million to banks and other institutions to cover fraud losses stemming from a massive data breach disclosed last year.

TJX, parent of discount retain chains including TJ Maxx and Marshalls, struck a similar deal with rival card network Visa in which it agreed to pay up to $40.9 million. As in that deal, TJX said the costs of its MasterCard settlement are included in the $256 million the company has set aside to pay for computer work and other costs associated with the breach.

TJX said the MasterCard settlement will be valid only if accepted by banks that issued 90 percent of the cards with fraud claims following the breach, which affected as many as 100 million card numbers, a record. In exchange banks would agree not to sue TJX or institutions that processed the charges at its stores.

The deal helps TJX wind down the episode, though it still faces court claims and just last week was criticized by the Federal Trade Commission over past security practices.

In a statement, TJX chief executive Carol Meyrowitz said: “We believe this settlement agreement provides a fair resolution for MasterCard and its issuing banks and look forward to a high level of issuer acceptance. Providing a secure shopping environment for our customers remains a priority for TJX. Beyond the many millions of dollars we have spent to add significant security to our computer system, we are installing security measures which exceed those of many other retailers and current industry requirements.”
(By Ross Kerber, Globe staff)

Hannaford you f-ing boneheads!

So this one hits close to home for me since I frequent Hannaford Brothers 2-3 times per week. It also hits even further close to home because I have contacted their CIO, CFO, and several folks in their IT group offering help for the past two years.

Why?

It is in my best interest to protect my information with the companies I do business with and especially those companies in my backyard.

Mr. Ron Hodge here is my list of people that I have contacted in the past two years to prevent this from happening. I will also tell you that this whole issue could have been prevented for under $200,000:

Bill Homa - CIO
Jeff Reeder - CFO
Kevin Carleton - Director of Retail Operations
Tricia Gilbert - IS Auditor
John McFarland - Enterprise Systems Team Lead

Add to this list past folks who either had the sense to leave before the sh*t hit the fan, or to bail before they were held accountable by some loudmouth like me:

Paul Fritzson - CFO
David Fournier - IT Security Specialist

If anyone from Hannaford Brothers reads this, please get back to me. I am still in a position to help, and I will wait for the phone call from Lifelock to see if the 1800 cases of fraud will include me soon.

identitystuff@gmail.com

Buzzword a.k.a. Bullsh*t Bingo

I have been a recipient of some very creative e-spin lately. What is E Spin?

It's another form of how many new buzzwords can I jam into an email to see if someone is interested in something I have. The latest one was keying in on compliance and virtualization. What is it about a virtual machine and access to it that requires a new way to audit it? It still has an OS and if you're in a SAS-70 physically secured facility then you won't have undocumented acceess to the physical blades/instances anyway.

Some other cool buzzword E spin ideas:

How Green is your Virtual Compliance project?
How carbon neutral is PCI Compliance?
Haven't you virtualized your green compliance initiative?

What are your E-spins?

NRF Show - See You There!!!

I will be headed to Manhattan this weekend to attend the NRF show at the Javits Center in NYC. I will be in booth #1475 talking about things PCI. Please stop by when/if you can. I always enjoy meeting folks who read my PCIStuff Blog, My Identitystuff blog or my virtualizationstuff blog.

Teeth or Gums? Which is Which for the Consumer?

I just read this article in the Boston Globe this morning, and a smirk crossed my mind in that it proves a widely held theory I share with my friends in this space that Identity Theft and a massive breach is simply the cost of doing business. Unbeleiveable. Or is It?

With services out there like Lifelock and the fact that the company who f'ed up covering the cost of monitoring, what's $100/year for their services or free for monitoring. You'll save at least that much shopping at TJX companies or the mom and pop shop with no overhead, and no security in place... Right?

http://www.boston.com/business/articles/2007/12/21/for_tjx_a_store_of_consumer_loyalty/

Consumers don't stay angry in the face of a good deal.

That's a lesson emerging from the data breach at TJX Cos., the Framingham retailer that a year ago discovered an intrusion into its computer security that compromised as many as 100 million payment-card accounts. While the episode led to lawsuits from banks and many complaints, sales at TJX stores such as TJ Maxx and Marshalls have risen steadily this year.

Customers like Florida businesswoman Hanna Lipman help explain why. In April, Visa canceled one of Lipman's credit cards, saying it was compromised in the breach. By then, she had stopped going to the TJ Maxx store in Boca Raton.

But now, Lipman said, she is back to spending about $100 a month at the store, on pocketbooks and other items. She expects TJX will be extra-cautious about protecting her information.

"They got nailed from so many banks, I have to believe whatever can be done they have done," Lipman said.

Another customer whose card was canceled, Phil Dunkelberger, said he still shops at a TJ Maxx store in California, but pays by cash or check to reduce his risk of data theft. "I think they're much safer than other vendors who haven't had a breach and gone through the pain," he said.

My New Blog Launched

I have decided to start a third blog to cover yet another hot topic in IT - Virtualization, over at my new Blog - Virtualization Stuff.

Enjoy!