Sunday, March 30, 2008

Plaintext PCI Compliance

One of the main flaws of PCI-DSS compliance requirement #4 is that it allows for plaintext transmission of credit card information within private networks. The most recent mass-credit-card heist involves my favorite east coast grocer, Hannaford. Hannaford passed a PCI audit. Even more interesting, Hannaford passed their PCI audit on Feb. 27, 2008 - 2 months after they were breached - and 3 weeks before public disclosure! Just how did this happen?

"But in Hannaford's case, the intruders were able to intercept the data at a point where it obviously was unencrypted"

- Heather Paquette, Hannaford Manager Midwest Information Risk Management

"At the time of this potential exposure, Hannaford was certified to be in compliance with the highest security standards required by the credit card industry."

- Ronald C. Hodge, Hannaford's CEO

Anytime you transmit or store credit card information - do so using industry standard strong encryption.

This seems like a no-brainer. We should have learned this lesson in InfoSec 101!

No comments: